OSSForks/postgres
1
0
Fork 0
mirror of https://github.com/zebrajr/postgres.git synced 2025-12-07 12:20:31 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
d5fe5fb232
postgres/src
History
Tom Lane d5fe5fb232 Make json{b}_populate_recordset() use the right tuple descriptor. 
json{b}_populate_recordset() used the tuple descriptor created from the
query-level AS clause without worrying about whether it matched the actual
input record type.  If it didn't, that would usually result in a crash,
though disclosure of server memory contents seems possible as well, for a
skilled attacker capable of issuing crafted SQL commands.  Instead, use
the query-supplied descriptor only when there is no input tuple to look at,
and otherwise get a tuple descriptor based on the input tuple's own type
marking.  The core code will detect any type mismatch in the latter case.

Michael Paquier and Tom Lane, per a report from David Rowley.
Back-patch to 9.3 where this functionality was introduced.

Security: CVE-2017-15098
2017-11-06 10:29:40 -05:00
..
backend Make json{b}_populate_recordset() use the right tuple descriptor. 2017-11-06 10:29:40 -05:00
bin Translation updates 2017-11-05 17:02:54 -05:00
common pgindent run for 9.5 2015-05-23 21:35:49 -04:00
include Always require SELECT permission for ON CONFLICT DO UPDATE. 2017-11-06 09:15:11 +00:00
interfaces Add a temp-install prerequisite to "check"-like targets not having one. 2017-11-05 18:54:52 -08:00
makefiles Always use -fPIC, not -fpic, when building shared libraries with gcc. 2017-06-01 13:32:56 -04:00
pl Translation updates 2017-08-28 10:15:52 -04:00
port Stamp 9.5.9. 2017-08-28 17:24:28 -04:00
template AIX: Test the -qlonglong option before use. 2015-07-17 03:01:29 -04:00
test Make json{b}_populate_recordset() use the right tuple descriptor. 2017-11-06 10:29:40 -05:00
timezone Update time zone data files to tzdata release 2017c. 2017-10-23 18:15:51 -04:00
tools Improve gendef.pl diagnostic on failure to open sym file 2017-10-26 10:11:20 -04:00
tutorial Remove no-longer-required function declarations. 2015-05-24 12:20:23 -04:00
.gitignore
bcc32.mak
DEVELOPERS
Makefile Install TAP test infrastructure so it's available for extension testing. 2016-09-23 15:50:00 -04:00
Makefile.global.in PL/Perl portability fix: absorb relevant -D switches from Perl. 2017-07-31 12:38:35 -04:00
Makefile.shlib Fix typos in comments. 2017-02-06 11:34:18 +02:00
nls-global.mk nls-global.mk: search build dir for source files, too 2016-06-07 18:55:18 -04:00
win32.mak