postgresql.git - This is the main PostgreSQL git repository.

Age	Commit message (Collapse)	Author
2024-11-14	xml2: Add tests for functions xpath_nodeset() and xpath_list()	Michael Paquier
	These two functions with their different argument lists have never been tested in this module, so let's add something. Author: Ronan Dunklau Discussion: https://postgr.es/m/ZzMSJkiNZhimjXWx@paquier.xyz
2012-08-14	Prevent access to external files/URLs via contrib/xml2's xslt_process().	Tom Lane
	libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a terrible idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. While the ability to write as well as read makes this security hole considerably worse than CVE-2012-3489, the problem is mitigated by the fact that xslt_process() is not available unless contrib/xml2 is installed, and the longstanding warnings about security risks from that should have discouraged prudent DBAs from installing it in security-exposed databases. Reported and fixed by Peter Eisentraut. Security: CVE-2012-3488
2011-02-14	Convert contrib modules to use the extension facility.	Tom Lane
	This isn't fully tested as yet, in particular I'm not sure that the "foo--unpackaged--1.0.sql" scripts are OK. But it's time to get some buildfarm cycles on it. sepgsql is not converted to an extension, mainly because it seems to require a very nonstandard installation process. Dimitri Fontaine and Tom Lane
2010-11-23	Remove useless whitespace at end of lines	Peter Eisentraut

2010-08-10	Remove the arbitrary (and undocumented) limit on the number of parameter=value	Tom Lane
	pairs that can be handled by xslt_process(). There is much else to do here, but this patch seems useful in its own right for as long as this code survives. Pavel Stehule, reviewed by Mike Fowler
2010-02-28	Fix up memory management problems in contrib/xml2.	Tom Lane
	Get rid of the code that attempted to funnel libxml2's memory allocations into palloc. We already knew from experience with the core xml datatype that trying to do this is simply not reliable. Unlike the core code, I did not bother adding a lot of PG_TRY/PG_CATCH logic to try to ensure that everything is cleaned up on error exit. Hence, we might leak some memory if one of these functions fails partway through. Given the deprecated status of this contrib module and the fact that errors partway through the functions shouldn't be too common, it doesn't seem worth worrying about. Also fix a separate bug in xpath_table, that it did the wrong things if given a result tuple descriptor with less than 2 columns. While such a case isn't very useful in practice, we shouldn't fail or stomp memory when it occurs. Add some simple regression tests based on all the reported crash cases that I have on hand. This should be back-patched, but let's see if the buildfarm likes it first.