#include "catalog/pg_class.h"
+#include "fe_utils/connect.h"
#include "libpq-fe.h"
#include "pg_getopt.h"
bool have_password = false;
char password[100];
bool new_pass;
+ PGresult *res;
/*
* Start the connection. Loop until we have a password if requested by
exit(1);
}
+ res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+ if (PQresultStatus(res) != PGRES_TUPLES_OK)
+ {
+ fprintf(stderr, "oid2name: could not clear search_path: %s\n",
+ PQerrorMessage(conn));
+ PQclear(res);
+ PQfinish(conn);
+ exit(-1);
+ }
+ PQclear(res);
+
/* return the conn if good */
return conn;
}
#include "catalog/pg_class.h"
+#include "fe_utils/connect.h"
#include "libpq-fe.h"
#include "pg_getopt.h"
fprintf(stdout, "Test run: no large objects will be removed!\n");
}
- /*
- * Don't get fooled by any non-system catalogs
- */
- res = PQexec(conn, "SET search_path = pg_catalog");
- if (PQresultStatus(res) != PGRES_COMMAND_OK)
+ res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+ if (PQresultStatus(res) != PGRES_TUPLES_OK)
{
fprintf(stderr, "Failed to set search_path:\n");
fprintf(stderr, "%s", PQerrorMessage(conn));
/* must unblock signals before calling rebuild_database_list */
PG_SETMASK(&UnBlockSig);
+ /*
+ * Set always-secure search path. Launcher doesn't connect to a database,
+ * so this has no effect.
+ */
+ SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
/*
* Force zero_damaged_pages OFF in the autovac process, even if it is set
* in postgresql.conf. We don't really want such a dangerous option being
PG_SETMASK(&UnBlockSig);
+ /*
+ * Set always-secure search path, so malicious users can't redirect user
+ * code (e.g. pg_index.indexprs). (That code runs in a
+ * SECURITY_RESTRICTED_OPERATION sandbox, so malicious users could not
+ * take control of the entire autovacuum worker in any case.)
+ */
+ SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
/*
* Force zero_damaged_pages OFF in the autovac process, even if it is set
* in postgresql.conf. We don't really want such a dangerous option being
#include "access/xlog_internal.h"
#include "common/fe_memutils.h"
#include "datatype/timestamp.h"
+#include "fe_utils/connect.h"
#include "port/pg_bswap.h"
#include "pqexpbuffer.h"
if (conn_opts)
PQconninfoFree(conn_opts);
+ /* Set always-secure search path, so malicious users can't get control. */
+ if (dbname != NULL)
+ {
+ PGresult *res;
+
+ res = PQexec(tmpconn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+ if (PQresultStatus(res) != PGRES_TUPLES_OK)
+ {
+ fprintf(stderr, _("%s: could not clear search_path: %s\n"),
+ progname, PQerrorMessage(tmpconn));
+ PQclear(res);
+ PQfinish(tmpconn);
+ exit(1);
+ }
+ PQclear(res);
+ }
+
/*
* Ensure we have the same value of integer_datetimes (now always "on") as
* the server we are connecting to.
#include "postgres_fe.h"
#include "dumputils.h"
+#include "fe_utils/connect.h"
#include "fe_utils/string_utils.h"
#include "parallel.h"
#include "pg_backup_archiver.h"
PQfinish(AH->connection);
AH->connection = newConn;
+
+ /* Start strict; later phases may override this. */
+ PQclear(ExecuteSqlQueryForSingleRow((Archive *) AH,
+ ALWAYS_SECURE_SEARCH_PATH_SQL));
}
/*
PQdb(AH->connection) ? PQdb(AH->connection) : "",
PQerrorMessage(AH->connection));
+ /* Start strict; later phases may override this. */
+ PQclear(ExecuteSqlQueryForSingleRow((Archive *) AH,
+ ALWAYS_SECURE_SEARCH_PATH_SQL));
+
/*
* We want to remember connection's actual password, whether or not we got
* it by prompting. So we don't just store the password variable.
#include "pg_backup_db.h"
#include "pg_backup_utils.h"
#include "pg_dump.h"
+#include "fe_utils/connect.h"
#include "fe_utils/string_utils.h"
PGconn *conn = GetConnection(AH);
const char *std_strings;
+ PQclear(ExecuteSqlQueryForSingleRow(AH, ALWAYS_SECURE_SEARCH_PATH_SQL));
+
/*
* Set the client encoding if requested.
*/
for (cell = patterns->head; cell; cell = cell->next)
{
+ /*
+ * Query must remain ABSOLUTELY devoid of unqualified names. This
+ * would be unnecessary given a pg_table_is_visible() variant taking a
+ * search_path argument.
+ */
appendPQExpBuffer(query,
"SELECT c.oid"
"\nFROM pg_catalog.pg_class c"
- "\n LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace"
- "\nWHERE c.relkind in ('%c', '%c', '%c', '%c', '%c', '%c')\n",
+ "\n LEFT JOIN pg_catalog.pg_namespace n"
+ "\n ON n.oid OPERATOR(pg_catalog.=) c.relnamespace"
+ "\nWHERE c.relkind OPERATOR(pg_catalog.=) ANY"
+ "\n (array['%c', '%c', '%c', '%c', '%c', '%c'])\n",
RELKIND_RELATION, RELKIND_SEQUENCE, RELKIND_VIEW,
RELKIND_MATVIEW, RELKIND_FOREIGN_TABLE,
RELKIND_PARTITIONED_TABLE);
false, "n.nspname", "c.relname", NULL,
"pg_catalog.pg_table_is_visible(c.oid)");
+ ExecuteSqlStatement(fout, "RESET search_path");
res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK);
+ PQclear(ExecuteSqlQueryForSingleRow(fout,
+ ALWAYS_SECURE_SEARCH_PATH_SQL));
if (strict_names && PQntuples(res) == 0)
exit_horribly(NULL, "no matching tables were found for pattern \"%s\"\n", cell->val);
#include "dumputils.h"
#include "pg_backup.h"
#include "common/file_utils.h"
+#include "fe_utils/connect.h"
#include "fe_utils/string_utils.h"
/* version string we expect back from pg_dump */
exit_nicely(1);
}
- /*
- * Make sure we are not fooled by non-system schemas in the search path.
- */
- executeCommand(conn, "SET search_path = pg_catalog");
+ PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL));
return conn;
}
#include "libpq-fe.h"
#include "catalog/catalog.h"
#include "catalog/pg_type.h"
+#include "fe_utils/connect.h"
#include "port/pg_bswap.h"
static PGconn *conn = NULL;
pg_log(PG_PROGRESS, "connected to server\n");
+ res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+ if (PQresultStatus(res) != PGRES_TUPLES_OK)
+ pg_fatal("could not clear search_path: %s",
+ PQresultErrorMessage(res));
+ PQclear(res);
+
/*
* Check that the server is not in hot standby mode. There is no
* fundamental reason that couldn't be made to work, but it doesn't
#include "postgres_fe.h"
+#include "fe_utils/connect.h"
#include "fe_utils/string_utils.h"
#include "pg_upgrade.h"
exit(1);
}
+ PQclear(executeQueryOrDie(conn, ALWAYS_SECURE_SEARCH_PATH_SQL));
+
return conn;
}
PGconn *conn;
+ conn = connectDatabase(dbname, host, port, username, prompt_password,
+ progname, echo, false, false);
+
initPQExpBuffer(&sql);
appendPQExpBufferStr(&sql, "CLUSTER");
if (verbose)
appendPQExpBufferStr(&sql, " VERBOSE");
if (table)
- appendPQExpBuffer(&sql, " %s", table);
+ {
+ appendPQExpBufferChar(&sql, ' ');
+ appendQualifiedRelation(&sql, table, conn, progname, echo);
+ }
appendPQExpBufferChar(&sql, ';');
- conn = connectDatabase(dbname, host, port, username, prompt_password,
- progname, false, false);
if (!executeMaintenanceCommand(conn, sql.data, echo))
{
if (table)
int i;
conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
- prompt_password, progname);
+ prompt_password, progname, echo);
result = executeQuery(conn, "SELECT datname FROM pg_database WHERE datallowconn ORDER BY 1;", progname, echo);
PQfinish(conn);
#include <unistd.h>
#include "common.h"
+#include "fe_utils/connect.h"
+#include "fe_utils/string_utils.h"
static PGcancel *volatile cancelConn = NULL;
* as before, else we might create password exposure hazards.)
*/
PGconn *
-connectDatabase(const char *dbname, const char *pghost, const char *pgport,
- const char *pguser, enum trivalue prompt_password,
- const char *progname, bool fail_ok, bool allow_password_reuse)
+connectDatabase(const char *dbname, const char *pghost,
+ const char *pgport, const char *pguser,
+ enum trivalue prompt_password, const char *progname,
+ bool echo, bool fail_ok, bool allow_password_reuse)
{
PGconn *conn;
bool new_pass;
exit(1);
}
+ if (PQserverVersion(conn) >= 70300)
+ PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL,
+ progname, echo));
+
return conn;
}
* Try to connect to the appropriate maintenance database.
*/
PGconn *
-connectMaintenanceDatabase(const char *maintenance_db, const char *pghost,
- const char *pgport, const char *pguser,
- enum trivalue prompt_password,
- const char *progname)
+connectMaintenanceDatabase(const char *maintenance_db,
+ const char *pghost, const char *pgport,
+ const char *pguser, enum trivalue prompt_password,
+ const char *progname, bool echo)
{
PGconn *conn;
/* If a maintenance database name was specified, just connect to it. */
if (maintenance_db)
return connectDatabase(maintenance_db, pghost, pgport, pguser,
- prompt_password, progname, false, false);
+ prompt_password, progname, echo, false, false);
/* Otherwise, try postgres first and then template1. */
conn = connectDatabase("postgres", pghost, pgport, pguser, prompt_password,
- progname, true, false);
+ progname, echo, true, false);
if (!conn)
conn = connectDatabase("template1", pghost, pgport, pguser,
- prompt_password, progname, false, false);
+ prompt_password, progname, echo, false, false);
return conn;
}
return r;
}
+
+/*
+ * Split TABLE[(COLUMNS)] into TABLE and [(COLUMNS)] portions. When you
+ * finish using them, pg_free(*table). *columns is a pointer into "spec",
+ * possibly to its NUL terminator.
+ */
+static void
+split_table_columns_spec(const char *spec, int encoding,
+ char **table, const char **columns)
+{
+ bool inquotes = false;
+ const char *cp = spec;
+
+ /*
+ * Find the first '(' not identifier-quoted. Based on
+ * dequote_downcase_identifier().
+ */
+ while (*cp && (*cp != '(' || inquotes))
+ {
+ if (*cp == '"')
+ {
+ if (inquotes && cp[1] == '"')
+ cp++; /* pair does not affect quoting */
+ else
+ inquotes = !inquotes;
+ cp++;
+ }
+ else
+ cp += PQmblen(cp, encoding);
+ }
+ *table = pg_strdup(spec);
+ (*table)[cp - spec] = '\0'; /* no strndup */
+ *columns = cp;
+}
+
+/*
+ * Break apart TABLE[(COLUMNS)] of "spec". With the reset_val of search_path
+ * in effect, have regclassin() interpret the TABLE portion. Append to "buf"
+ * the qualified name of TABLE, followed by any (COLUMNS). Exit on failure.
+ * We use this to interpret --table=foo under the search path psql would get,
+ * in advance of "ANALYZE public.foo" under the always-secure search path.
+ */
+void
+appendQualifiedRelation(PQExpBuffer buf, const char *spec,
+ PGconn *conn, const char *progname, bool echo)
+{
+ char *table;
+ const char *columns;
+ PQExpBufferData sql;
+ PGresult *res;
+ int ntups;
+
+ /* Before 7.3, the concept of qualifying a name did not exist. */
+ if (PQserverVersion(conn) < 70300)
+ {
+ appendPQExpBufferStr(&sql, spec);
+ return;
+ }
+
+ split_table_columns_spec(spec, PQclientEncoding(conn), &table, &columns);
+
+ /*
+ * Query must remain ABSOLUTELY devoid of unqualified names. This would
+ * be unnecessary given a regclassin() variant taking a search_path
+ * argument.
+ */
+ initPQExpBuffer(&sql);
+ appendPQExpBufferStr(&sql,
+ "SELECT c.relname, ns.nspname\n"
+ " FROM pg_catalog.pg_class c,"
+ " pg_catalog.pg_namespace ns\n"
+ " WHERE c.relnamespace OPERATOR(pg_catalog.=) ns.oid\n"
+ " AND c.oid OPERATOR(pg_catalog.=) ");
+ appendStringLiteralConn(&sql, table, conn);
+ appendPQExpBufferStr(&sql, "::pg_catalog.regclass;");
+
+ executeCommand(conn, "RESET search_path", progname, echo);
+
+ /*
+ * One row is a typical result, as is a nonexistent relation ERROR.
+ * regclassin() unconditionally accepts all-digits input as an OID; if no
+ * relation has that OID; this query returns no rows. Catalog corruption
+ * might elicit other row counts.
+ */
+ res = executeQuery(conn, sql.data, progname, echo);
+ ntups = PQntuples(res);
+ if (ntups != 1)
+ {
+ fprintf(stderr,
+ ngettext("%s: query returned %d row instead of one: %s\n",
+ "%s: query returned %d rows instead of one: %s\n",
+ ntups),
+ progname, ntups, sql.data);
+ PQfinish(conn);
+ exit(1);
+ }
+ appendPQExpBufferStr(buf,
+ fmtQualifiedId(PQserverVersion(conn),
+ PQgetvalue(res, 0, 1),
+ PQgetvalue(res, 0, 0)));
+ appendPQExpBufferStr(buf, columns);
+ PQclear(res);
+ termPQExpBuffer(&sql);
+ pg_free(table);
+
+ PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL,
+ progname, echo));
+}
+
+
/*
* Check yes/no answer in a localized way. 1=yes, 0=no, -1=neither.
*/
extern PGconn *connectDatabase(const char *dbname, const char *pghost,
const char *pgport, const char *pguser,
enum trivalue prompt_password, const char *progname,
- bool fail_ok, bool allow_password_reuse);
+ bool echo, bool fail_ok, bool allow_password_reuse);
extern PGconn *connectMaintenanceDatabase(const char *maintenance_db,
- const char *pghost, const char *pgport, const char *pguser,
- enum trivalue prompt_password, const char *progname);
+ const char *pghost, const char *pgport,
+ const char *pguser, enum trivalue prompt_password,
+ const char *progname, bool echo);
extern PGresult *executeQuery(PGconn *conn, const char *query,
const char *progname, bool echo);
extern bool executeMaintenanceCommand(PGconn *conn, const char *query,
bool echo);
+extern void appendQualifiedRelation(PQExpBuffer buf, const char *name,
+ PGconn *conn, const char *progname, bool echo);
+
extern bool yesno_prompt(const char *question);
extern void setup_cancel_handler(void);
maintenance_db = "template1";
conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
- prompt_password, progname);
+ prompt_password, progname, echo);
if (echo)
printf("%s\n", sql.data);
login = TRI_YES;
conn = connectDatabase("postgres", host, port, username, prompt_password,
- progname, false, false);
+ progname, echo, false, false);
initPQExpBuffer(&sql);
maintenance_db = "template1";
conn = connectMaintenanceDatabase(maintenance_db,
- host, port, username, prompt_password, progname);
+ host, port, username, prompt_password,
+ progname, echo);
if (echo)
printf("%s\n", sql.data);
(if_exists ? "IF EXISTS " : ""), fmtId(dropuser));
conn = connectDatabase("postgres", host, port, username, prompt_password,
- progname, false, false);
+ progname, echo, false, false);
if (echo)
printf("%s\n", sql.data);
PGconn *conn;
conn = connectDatabase(dbname, host, port, username, prompt_password,
- progname, false, false);
+ progname, echo, false, false);
initPQExpBuffer(&sql);
- appendPQExpBufferStr(&sql, "REINDEX");
+ appendPQExpBufferStr(&sql, "REINDEX ");
if (verbose)
- appendPQExpBufferStr(&sql, " (VERBOSE)");
+ appendPQExpBufferStr(&sql, "(VERBOSE) ");
- if (strcmp(type, "TABLE") == 0)
- appendPQExpBuffer(&sql, " TABLE %s", name);
- else if (strcmp(type, "INDEX") == 0)
- appendPQExpBuffer(&sql, " INDEX %s", name);
+ appendPQExpBufferStr(&sql, type);
+ appendPQExpBufferChar(&sql, ' ');
+ if (strcmp(type, "TABLE") == 0 ||
+ strcmp(type, "INDEX") == 0)
+ appendQualifiedRelation(&sql, name, conn, progname, echo);
else if (strcmp(type, "SCHEMA") == 0)
- appendPQExpBuffer(&sql, " SCHEMA %s", name);
+ appendPQExpBufferStr(&sql, name);
else if (strcmp(type, "DATABASE") == 0)
- appendPQExpBuffer(&sql, " DATABASE %s", fmtId(PQdb(conn)));
+ appendPQExpBufferStr(&sql, fmtId(PQdb(conn)));
appendPQExpBufferChar(&sql, ';');
if (!executeMaintenanceCommand(conn, sql.data, echo))
int i;
conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
- prompt_password, progname);
+ prompt_password, progname, echo);
result = executeQuery(conn, "SELECT datname FROM pg_database WHERE datallowconn ORDER BY 1;", progname, echo);
PQfinish(conn);
PQExpBufferData sql;
conn = connectDatabase(dbname, host, port, username, prompt_password,
- progname, false, false);
+ progname, echo, false, false);
initPQExpBuffer(&sql);
);
$node->issues_sql_like(
[ 'clusterdb', '-t', 'test1' ],
- qr/statement: CLUSTER test1;/,
+ qr/statement: CLUSTER public\.test1;/,
'cluster specific table');
$node->command_ok([qw(clusterdb --echo --verbose dbname=template1)],
'CREATE TABLE test1 (a int); CREATE INDEX test1x ON test1 (a);');
$node->issues_sql_like(
[ 'reindexdb', '-t', 'test1', 'postgres' ],
- qr/statement: REINDEX TABLE test1;/,
+ qr/statement: REINDEX TABLE public\.test1;/,
'reindex specific table');
$node->issues_sql_like(
[ 'reindexdb', '-i', 'test1x', 'postgres' ],
- qr/statement: REINDEX INDEX test1x;/,
+ qr/statement: REINDEX INDEX public\.test1x;/,
'reindex specific index');
$node->issues_sql_like(
[ 'reindexdb', '-S', 'pg_catalog', 'postgres' ],
'reindex system tables');
$node->issues_sql_like(
[ 'reindexdb', '-v', '-t', 'test1', 'postgres' ],
- qr/statement: REINDEX \(VERBOSE\) TABLE test1;/,
+ qr/statement: REINDEX \(VERBOSE\) TABLE public\.test1;/,
'reindex with verbose output');
$node->command_ok([qw(reindexdb --echo --table=pg_am dbname=template1)],
use PostgresNode;
use TestLib;
-use Test::More tests => 19;
+use Test::More tests => 23;
program_help_ok('vacuumdb');
program_version_ok('vacuumdb');
qr/statement: VACUUM \(FREEZE\);/,
'vacuumdb -F');
$node->issues_sql_like(
- [ 'vacuumdb', '-z', 'postgres' ],
- qr/statement: VACUUM \(ANALYZE\);/,
- 'vacuumdb -z');
+ [ 'vacuumdb', '-zj2', 'postgres' ],
+ qr/statement: VACUUM \(ANALYZE\) pg_catalog\./,
+ 'vacuumdb -zj2');
$node->issues_sql_like(
[ 'vacuumdb', '-Z', 'postgres' ],
qr/statement: ANALYZE;/,
'vacuumdb -Z');
$node->command_ok([qw(vacuumdb -Z --table=pg_am dbname=template1)],
'vacuumdb with connection string');
+
+$node->command_fails([qw(vacuumdb -Zt pg_am;ABORT postgres)],
+ 'trailing command in "-t", without COLUMNS');
+# Unwanted; better if it failed.
+$node->command_ok([qw(vacuumdb -Zt pg_am(amname);ABORT postgres)],
+ 'trailing command in "-t", with COLUMNS');
+
+$node->safe_psql('postgres', q|
+ CREATE TABLE "need""q(uot" (")x" text);
+
+ CREATE FUNCTION f0(int) RETURNS int LANGUAGE SQL AS 'SELECT $1 * $1';
+ CREATE FUNCTION f1(int) RETURNS int LANGUAGE SQL AS 'SELECT f0($1)';
+ CREATE TABLE funcidx (x int);
+ INSERT INTO funcidx VALUES (0),(1),(2),(3);
+ CREATE INDEX i0 ON funcidx ((f1(x)));
+|);
+$node->command_ok([qw|vacuumdb -Z --table="need""q(uot"(")x") postgres|],
+ 'column list');
+$node->command_fails([qw|vacuumdb -Zt funcidx postgres|],
+ 'unqualifed name via functional index');
const char *progname, bool echo, bool quiet);
static void prepare_vacuum_command(PQExpBuffer sql, PGconn *conn,
- vacuumingOptions *vacopts, const char *table);
+ vacuumingOptions *vacopts, const char *table,
+ bool table_pre_qualified,
+ const char *progname, bool echo);
static void run_vacuum_command(PGconn *conn, const char *sql, bool echo,
const char *table, const char *progname, bool async);
(stage >= 0 && stage < ANALYZE_NUM_STAGES));
conn = connectDatabase(dbname, host, port, username, prompt_password,
- progname, false, true);
+ progname, echo, false, true);
if (!quiet)
{
for (i = 1; i < concurrentCons; i++)
{
conn = connectDatabase(dbname, host, port, username, prompt_password,
- progname, false, true);
+ progname, echo, false, true);
init_slot(slots + i, conn, progname);
}
}
ParallelSlot *free_slot;
const char *tabname = cell ? cell->val : NULL;
- prepare_vacuum_command(&sql, conn, vacopts, tabname);
+ prepare_vacuum_command(&sql, conn, vacopts, tabname,
+ tables == &dbtables, progname, echo);
if (CancelRequested)
{
int stage;
int i;
- conn = connectMaintenanceDatabase(maintenance_db, host, port,
- username, prompt_password, progname);
+ conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
+ prompt_password, progname, echo);
result = executeQuery(conn,
"SELECT datname FROM pg_database WHERE datallowconn ORDER BY 1;",
progname, echo);
* quoted. The command is semicolon-terminated.
*/
static void
-prepare_vacuum_command(PQExpBuffer sql, PGconn *conn, vacuumingOptions *vacopts,
- const char *table)
+prepare_vacuum_command(PQExpBuffer sql, PGconn *conn,
+ vacuumingOptions *vacopts, const char *table,
+ bool table_pre_qualified,
+ const char *progname, bool echo)
{
resetPQExpBuffer(sql);
}
if (table)
- appendPQExpBuffer(sql, " %s", table);
+ {
+ appendPQExpBufferChar(sql, ' ');
+ if (table_pre_qualified)
+ appendPQExpBufferStr(sql, table);
+ else
+ appendQualifiedRelation(sql, table, conn, progname, echo);
+ }
appendPQExpBufferChar(sql, ';');
}
}
/*
- * Now decide what we need to emit. Note there will be a leading "^(" in
- * the patterns in any case.
+ * Now decide what we need to emit. We may run under a hostile
+ * search_path, so qualify EVERY name. Note there will be a leading "^("
+ * in the patterns in any case.
*/
if (namebuf.len > 2)
{
WHEREAND();
if (altnamevar)
{
- appendPQExpBuffer(buf, "(%s ~ ", namevar);
+ appendPQExpBuffer(buf,
+ "(%s OPERATOR(pg_catalog.~) ", namevar);
appendStringLiteralConn(buf, namebuf.data, conn);
- appendPQExpBuffer(buf, "\n OR %s ~ ", altnamevar);
+ appendPQExpBuffer(buf,
+ "\n OR %s OPERATOR(pg_catalog.~) ",
+ altnamevar);
appendStringLiteralConn(buf, namebuf.data, conn);
appendPQExpBufferStr(buf, ")\n");
}
else
{
- appendPQExpBuffer(buf, "%s ~ ", namevar);
+ appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", namevar);
appendStringLiteralConn(buf, namebuf.data, conn);
appendPQExpBufferChar(buf, '\n');
}
if (strcmp(schemabuf.data, "^(.*)$") != 0 && schemavar)
{
WHEREAND();
- appendPQExpBuffer(buf, "%s ~ ", schemavar);
+ appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", schemavar);
appendStringLiteralConn(buf, schemabuf.data, conn);
appendPQExpBufferChar(buf, '\n');
}
--- /dev/null
+/*-------------------------------------------------------------------------
+ *
+ * Interfaces in support of FE/BE connections.
+ *
+ *
+ * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/fe_utils/connect.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef CONNECT_H
+#define CONNECT_H
+
+/*
+ * This SQL statement installs an always-secure search path, so malicious
+ * users can't take control. CREATE of an unqualified name will fail, because
+ * this selects no creation schema. This does not demote pg_temp, so it is
+ * suitable where we control the entire FE/BE connection but not suitable in
+ * SECURITY DEFINER functions. This is portable to PostgreSQL 7.3, which
+ * introduced schemas. When connected to an older version from code that
+ * might work with the old server, skip this.
+ */
+#define ALWAYS_SECURE_SEARCH_PATH_SQL \
+ "SELECT pg_catalog.set_config('search_path', '', false)"
+
+#endif /* CONNECT_H */
#include "catalog/pg_class.h"
+#include "fe_utils/connect.h"
#include "libpq-fe.h"
#include "pqexpbuffer.h"
exit(EXIT_FAILURE);
}
+ res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+ if (!res || PQresultStatus(res) != PGRES_TUPLES_OK)
+ {
+ fprintf(stderr, "sql error: %s\n", PQerrorMessage(conn));
+ exit(EXIT_FAILURE);
+ }
+ PQclear(res);
+
/* Get a list of relations that have OIDs */
printfPQExpBuffer(&sql, "%s",
projects / postgresql.git / commitdiff