postgres

History

Tom Lane adc97d03b9 Prevent access to external files/URLs via contrib/xml2's xslt_process().

libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488

2012-08-14 18:31:18 -04:00

adminpack

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

auth_delay

pgindent run before PG 9.1 beta 1.

2011-04-10 11:42:00 -04:00

auto_explain

Run pgindent on 9.2 source tree in preparation for first 9.3

2012-06-10 15:20:04 -04:00

btree_gin

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

btree_gist

Reduce messages about implicit indexes and sequences to DEBUG1.

2012-07-04 20:35:29 -04:00

chkpass

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

citext

Reduce messages about implicit indexes and sequences to DEBUG1.

2012-07-04 20:35:29 -04:00

cube

Replace int2/int4 in C code with int16/int32

2012-06-25 01:51:46 +03:00

dblink

Replace libpq's "row processor" API with a "single row" mode.

2012-08-02 13:10:30 -04:00

dict_int

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

dict_xsyn

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

dummy_seclabel

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

earthdistance

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

file_fdw

Skip text->binary conversion of unnecessary columns in contrib/file_fdw.

2012-07-12 16:26:59 -04:00

fuzzystrmatch

Even more duplicate word removal, in the spirit of the season

2012-05-02 20:56:03 +03:00

hstore

Remove unreachable code

2012-07-16 22:15:03 +03:00

intagg

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

intarray

Remove unreachable code

2012-07-16 22:15:03 +03:00

isn

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

ltree

Remove unreachable code

2012-07-16 22:15:03 +03:00

oid2name

Make oid2name, pgbench, and vacuumlo set fallback_application_name.

2012-07-04 15:39:33 -04:00

pageinspect

Replace XLogRecPtr struct with a 64-bit integer.

2012-06-24 19:19:45 +03:00

passwordcheck

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

pg_archivecleanup

Make documentation of --help and --version options more consistent

2012-06-18 02:46:59 +03:00

pg_buffercache

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

pg_freespacemap

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

pg_standby

Make documentation of --help and --version options more consistent

2012-06-18 02:46:59 +03:00

pg_stat_statements

Make new event trigger facility actually do something.

2012-07-20 11:39:01 -04:00

pg_test_fsync

Run pgindent on 9.2 source tree in preparation for first 9.3

2012-06-10 15:20:04 -04:00

pg_test_timing

Run pgindent on 9.2 source tree in preparation for first 9.3

2012-06-10 15:20:04 -04:00

pg_trgm

Replace int2/int4 in C code with int16/int32

2012-06-25 01:51:46 +03:00

pg_upgrade

Prevent pg_upgrade from crashing if it can't write to the current

2012-08-10 17:14:48 -04:00

pg_upgrade_support

Update copyright notices for year 2012.

2012-01-01 18:01:58 -05:00

pgbench

Make pgbench vacuum before building indexes.

2012-07-23 14:42:35 -04:00

pgcrypto

Run pgindent on 9.2 source tree in preparation for first 9.3

2012-06-10 15:20:04 -04:00

pgrowlocks

Throw a useful error message if an extension script file is fed to psql.

2011-10-12 15:45:03 -04:00

pgstattuple

Reduce messages about implicit indexes and sequences to DEBUG1.

2012-07-04 20:35:29 -04:00

seg

Run newly-configured perltidy script on Perl files.

2012-07-04 21:47:49 -04:00

sepgsql

Reduce messages about implicit indexes and sequences to DEBUG1.

2012-07-04 20:35:29 -04:00

spi

Run pgindent on 9.2 source tree in preparation for first 9.3

2012-06-10 15:20:04 -04:00

sslinfo

Lots of doc corrections.

2012-04-23 22:43:09 -04:00

start-scripts

Support Linux's oom_score_adj API as well as the older oom_adj API.

2012-06-13 15:35:52 -04:00

tablefunc

Reduce messages about implicit indexes and sequences to DEBUG1.

2012-07-04 20:35:29 -04:00

tcn

Triggered change notifications.

2012-01-19 23:15:15 -05:00

test_parser

Fix one-byte buffer overrun in contrib/test_parser.

2012-01-09 19:56:27 -05:00

tsearch2

2012-01-01 18:01:58 -05:00

unaccent

Fix some typos

2012-04-22 19:23:47 +03:00

uuid-ossp

2012-01-01 18:01:58 -05:00

vacuumlo

Make oid2name, pgbench, and vacuumlo set fallback_application_name.

2012-07-04 15:39:33 -04:00

xml2

Prevent access to external files/URLs via contrib/xml2's xslt_process().

2012-08-14 18:31:18 -04:00

contrib-global.mk

Remove cvs keywords from all files.

2010-09-20 22:08:53 +02:00

Makefile

pg_test_timing utility, to measure clock monotonicity and timing cost.

2012-03-27 16:14:00 -04:00

README

Update contrib/README

2012-04-14 09:29:54 +03:00

README

The PostgreSQL contrib tree
---------------------------

This subtree contains porting tools, analysis utilities, and plug-in
features that are not part of the core PostgreSQL system, mainly
because they address a limited audience or are too experimental to be
part of the main source tree.  This does not preclude their
usefulness.

User documentation for each module appears in the main SGML
documentation.

When building from the source distribution, these modules are not
built automatically, unless you build the "world" target.  You can
also build and install them all by running "gmake all" and "gmake
install" in this directory; or to build and install just one selected
module, do the same in that module's subdirectory.

Some directories supply new user-defined functions, operators, or
types.  To make use of one of these modules, after you have installed
the code you need to register the new SQL objects in the database
system by executing a CREATE EXTENSION command.  In a fresh database,
you can simply do

    CREATE EXTENSION module_name;

See the PostgreSQL documentation for more information about this
procedure.