Movatterモバイル変換

Skip to content

postgrespro/postgresPublic

forked frompostgres/postgres

NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit05e1737

jeff-davis

committed

Fix search_path to a safe value during maintenance operations.

While executing maintenance operations (ANALYZE, CLUSTER, REFRESHMATERIALIZED VIEW, REINDEX, or VACUUM), set search_path to'pg_catalog, pg_temp' to prevent inconsistent behavior.Functions that are used for functional indexes, in index expressions,or in materialized views and depend on a different search path must bedeclared with CREATE FUNCTION ... SET search_path='...'.This change addresses a security risk introduced in commit60684dd,where a role with MAINTAIN privileges on a table may be able toescalate privileges to the table owner. That commit is not yet part ofany release, so no need to backpatch.Discussion:https://postgr.es/m/e44327179e5c9015c8dda67351c04da552066017.camel%40j-davis.comReviewed-by: Greg StarkReviewed-by: Nathan Bossart

1 parent9aee26a commit05e1737Copy full SHA for 05e1737

File tree

15 files changed

+48

-16

lines changed

contrib/amcheck
- verify_nbtree.c
src
- backend
  - access/brin
    - brin.c
  - catalog
    - index.c
  - commands
- bin/scripts/t
  - 100_vacuumdb.pl
- include/utils
  - guc.h
- test
  - modules/test_oat_hooks/expected
    - test_oat_hooks.out
  - regress
    - expected
      - privileges.out
      - vacuum.out
    - sql
      - privileges.sql
      - vacuum.sql

15 files changed

+48

-16

lines changed

`‎contrib/amcheck/verify_nbtree.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,8 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,`
`282`	`282`	`SetUserIdAndSecContext(heaprel->rd_rel->relowner,`
`283`	`283`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`284`	`284`	`save_nestlevel=NewGUCNestLevel();`
	`285`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`286`	`+PGC_S_SESSION);`
`285`	`287`	`}`
`286`	`288`	`else`
`287`	`289`	`{`

`‎src/backend/access/brin/brin.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1066,6 +1066,8 @@ brin_summarize_range(PG_FUNCTION_ARGS)`
`1066`	`1066`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`1067`	`1067`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1068`	`1068`	`save_nestlevel=NewGUCNestLevel();`
	`1069`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1070`	`+PGC_S_SESSION);`
`1069`	`1071`	`}`
`1070`	`1072`	`else`
`1071`	`1073`	`{`

`‎src/backend/catalog/index.c`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1475,6 +1475,8 @@ index_concurrently_build(Oid heapRelationId,`
`1475`	`1475`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`1476`	`1476`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1477`	`1477`	`save_nestlevel=NewGUCNestLevel();`
	`1478`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1479`	`+PGC_S_SESSION);`
`1478`	`1480`
`1479`	`1481`	`indexRelation=index_open(indexRelationId,RowExclusiveLock);`
`1480`	`1482`
`@@ -3006,6 +3008,8 @@ index_build(Relation heapRelation,`
`3006`	`3008`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3007`	`3009`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3008`	`3010`	`save_nestlevel=NewGUCNestLevel();`
	`3011`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3012`	`+PGC_S_SESSION);`
`3009`	`3013`
`3010`	`3014`	`/* Set up initial progress report status */`
`3011`	`3015`	`{`
`@@ -3341,6 +3345,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)`
`3341`	`3345`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3342`	`3346`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3343`	`3347`	`save_nestlevel=NewGUCNestLevel();`
	`3348`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3349`	`+PGC_S_SESSION);`
`3344`	`3350`
`3345`	`3351`	`indexRelation=index_open(indexId,RowExclusiveLock);`
`3346`	`3352`
`@@ -3601,6 +3607,8 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,`
`3601`	`3607`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3602`	`3608`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3603`	`3609`	`save_nestlevel=NewGUCNestLevel();`
	`3610`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3611`	`+PGC_S_SESSION);`
`3604`	`3612`
`3605`	`3613`	`if (progress)`
`3606`	`3614`	`{`

`‎src/backend/commands/analyze.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -348,6 +348,8 @@ do_analyze_rel(Relation onerel, VacuumParams *params,`
`348`	`348`	`SetUserIdAndSecContext(onerel->rd_rel->relowner,`
`349`	`349`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`350`	`350`	`save_nestlevel=NewGUCNestLevel();`
	`351`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`352`	`+PGC_S_SESSION);`
`351`	`353`
`352`	`354`	`/* measure elapsed time iff autovacuum logging requires it */`
`353`	`355`	`if (IsAutoVacuumWorkerProcess()&&params->log_min_duration >=0)`

`‎src/backend/commands/cluster.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,8 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)`
`355`	`355`	`SetUserIdAndSecContext(OldHeap->rd_rel->relowner,`
`356`	`356`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`357`	`357`	`save_nestlevel=NewGUCNestLevel();`
	`358`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`359`	`+PGC_S_SESSION);`
`358`	`360`
`359`	`361`	`/*`
`360`	`362`	`* Since we may open a new transaction for each relation, we have to check`

`‎src/backend/commands/indexcmds.c`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -575,6 +575,8 @@ DefineIndex(Oid relationId,`
`575`	`575`	`introot_save_nestlevel;`
`576`	`576`
`577`	`577`	`root_save_nestlevel=NewGUCNestLevel();`
	`578`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`579`	`+PGC_S_SESSION);`
`578`	`580`
`579`	`581`	`/*`
`580`	`582`	`* Some callers need us to run with an empty default_tablespace; this is a`
`@@ -1300,6 +1302,8 @@ DefineIndex(Oid relationId,`
`1300`	`1302`	`SetUserIdAndSecContext(childrel->rd_rel->relowner,`
`1301`	`1303`	`child_save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1302`	`1304`	`child_save_nestlevel=NewGUCNestLevel();`
	`1305`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1306`	`+PGC_S_SESSION);`
`1303`	`1307`
`1304`	`1308`	`/*`
`1305`	`1309`	`* Don't try to create indexes on foreign tables, though. Skip`
`@@ -3753,6 +3757,8 @@ ReindexRelationConcurrently(Oid relationOid, ReindexParams *params)`
`3753`	`3757`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`3754`	`3758`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3755`	`3759`	`save_nestlevel=NewGUCNestLevel();`
	`3760`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3761`	`+PGC_S_SESSION);`
`3756`	`3762`
`3757`	`3763`	`/* determine safety of this index for set_indexsafe_procflags */`
`3758`	`3764`	`idx->safe= (indexRel->rd_indexprs==NIL&&`

`‎src/backend/commands/matview.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,8 @@ ExecRefreshMatView(RefreshMatViewStmt stmt, const char queryString,`
`179`	`179`	`SetUserIdAndSecContext(relowner,`
`180`	`180`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`181`	`181`	`save_nestlevel=NewGUCNestLevel();`
	`182`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`183`	`+PGC_S_SESSION);`
`182`	`184`
`183`	`185`	`/* Make sure it is a materialized view. */`
`184`	`186`	`if (matviewRel->rd_rel->relkind!=RELKIND_MATVIEW)`

`‎src/backend/commands/vacuum.c`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2172,6 +2172,8 @@ vacuum_rel(Oid relid, RangeVar relation, VacuumParams params,`
`2172`	`2172`	`SetUserIdAndSecContext(rel->rd_rel->relowner,`
`2173`	`2173`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`2174`	`2174`	`save_nestlevel=NewGUCNestLevel();`
	`2175`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`2176`	`+PGC_S_SESSION);`
`2175`	`2177`
`2176`	`2178`	`/*`
`2177`	`2179`	`* If PROCESS_MAIN is set (the default), it's time to vacuum the main`

`‎src/bin/scripts/t/100_vacuumdb.pl`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -109,15 +109,11 @@`
`109`	`109`	`CREATE FUNCTION f1(int) RETURNS int LANGUAGE SQL AS 'SELECT f0($1)';`
`110`	`110`	`CREATE TABLE funcidx (x int);`
`111`	`111`	`INSERT INTO funcidx VALUES (0),(1),(2),(3);`
`112`		`- CREATE INDEX i0 ON funcidx ((f1(x)));`
`113`	`112`	`CREATE SCHEMA "Foo";`
`114`	`113`	`CREATE TABLE "Foo".bar(id int);`
`115`	`114`	`\|);`
`116`	`115`	`$node->command_ok([qw\|vacuumdb -Z --table="need""q(uot"(")x") postgres\|],`
`117`	`116`	`'column list');`
`118`		`-$node->command_fails(`
`119`		`-[qw\|vacuumdb -Zt funcidx postgres\|],`
`120`		`-'unqualified name via functional index');`
`121`	`117`
`122`	`118`	`$node->command_fails(`
`123`	`119`	`['vacuumdb','--analyze','--table','vactable(c)','postgres' ],`

`‎src/include/utils/guc.h`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,12 @@ typedef enum`
`201`	`201`
`202`	`202`	`#defineGUC_QUALIFIER_SEPARATOR '.'`
`203`	`203`
	`204`	`+/*`
	`205`	`+ * Safe search path when executing code as the table owner, such as during`
	`206`	`+ * maintenance operations.`
	`207`	`+ */`
	`208`	`+#defineGUC_SAFE_SEARCH_PATH "pg_catalog, pg_temp"`
	`209`	`+`
`204`	`210`	`/*`
`205`	`211`	`* Bit values in "flags" of a GUC variable. Note that these don't appear`
`206`	`212`	`* on disk, so we can reassign their values freely.`

`‎src/test/modules/test_oat_hooks/expected/test_oat_hooks.out`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -89,11 +89,15 @@ NOTICE: in object access: superuser finished create (subId=0x0) [internal]`
`89`	`89`	`NOTICE: in process utility: superuser finished CREATE TABLE`
`90`	`90`	`CREATE INDEX regress_test_table_t_idx ON regress_test_table (t);`
`91`	`91`	`NOTICE: in process utility: superuser attempting CREATE INDEX`
	`92`	`+NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed]`
	`93`	`+NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed]`
`92`	`94`	`NOTICE: in object access: superuser attempting create (subId=0x0) [explicit]`
`93`	`95`	`NOTICE: in object access: superuser finished create (subId=0x0) [explicit]`
`94`	`96`	`NOTICE: in process utility: superuser finished CREATE INDEX`
`95`	`97`	`GRANT SELECT ON Table regress_test_table TO public;`
`96`	`98`	`NOTICE: in process utility: superuser attempting GRANT`
	`99`	`+NOTICE: in object access: superuser attempting namespace search (subId=0x0) [no report on violation, allowed]`
	`100`	`+NOTICE: in object access: superuser finished namespace search (subId=0x0) [no report on violation, allowed]`
`97`	`101`	`NOTICE: in process utility: superuser finished GRANT`
`98`	`102`	`CREATE FUNCTION regress_test_func (t text) RETURNS text AS $$`
`99`	`103`	`SELECT $1;`

`‎src/test/regress/expected/privileges.out`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1769,7 +1769,7 @@ SET SESSION AUTHORIZATION regress_sro_user;`
`1769`	`1769`	`CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS`
`1770`	`1770`	`'GRANT regress_priv_group2 TO regress_sro_user';`
`1771`	`1771`	`CREATE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS`
`1772`		`-'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';`
	`1772`	`+'DECLARE c CURSOR WITH HOLD FOR SELECTpublic.unwanted_grant(); SELECT true';`
`1773`	`1773`	`-- REFRESH of this MV will queue a GRANT at end of transaction`
`1774`	`1774`	`CREATE MATERIALIZED VIEW sro_mv AS SELECT mv_action() WITH NO DATA;`
`1775`	`1775`	`REFRESH MATERIALIZED VIEW sro_mv;`
`@@ -1783,12 +1783,12 @@ SET SESSION AUTHORIZATION regress_sro_user;`
`1783`	`1783`	`-- INSERT to this table will queue a GRANT at end of transaction`
`1784`	`1784`	`CREATE TABLE sro_trojan_table ();`
`1785`	`1785`	`CREATE FUNCTION sro_trojan() RETURNS trigger LANGUAGE plpgsql AS`
`1786`		`-'BEGIN PERFORM unwanted_grant(); RETURN NULL; END';`
	`1786`	`+'BEGIN PERFORMpublic.unwanted_grant(); RETURN NULL; END';`
`1787`	`1787`	`CREATE CONSTRAINT TRIGGER t AFTER INSERT ON sro_trojan_table`
`1788`	`1788`	`INITIALLY DEFERRED FOR EACH ROW EXECUTE PROCEDURE sro_trojan();`
`1789`	`1789`	`-- Now, REFRESH will issue such an INSERT, queueing the GRANT`
`1790`	`1790`	`CREATE OR REPLACE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS`
`1791`		`-'INSERT INTO sro_trojan_table DEFAULT VALUES; SELECT true';`
	`1791`	`+'INSERT INTOpublic.sro_trojan_table DEFAULT VALUES; SELECT true';`
`1792`	`1792`	`REFRESH MATERIALIZED VIEW sro_mv;`
`1793`	`1793`	`ERROR: cannot fire deferred trigger within security-restricted operation`
`1794`	`1794`	`CONTEXT: SQL function "mv_action" statement 1`
`@@ -1800,15 +1800,15 @@ BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;`
`1800`	`1800`	`ERROR: permission denied to grant role "regress_priv_group2"`
`1801`	`1801`	`DETAIL: Only roles with the ADMIN option on role "regress_priv_group2" may grant this role.`
`1802`	`1802`	`CONTEXT: SQL function "unwanted_grant" statement 1`
`1803`		`-SQL statement "SELECT unwanted_grant()"`
`1804`		`-PL/pgSQL function sro_trojan() line 1 at PERFORM`
	`1803`	`+SQL statement "SELECTpublic.unwanted_grant()"`
	`1804`	`+PL/pgSQL functionpublic.sro_trojan() line 1 at PERFORM`
`1805`	`1805`	`SQL function "mv_action" statement 1`
`1806`	`1806`	`-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()`
`1807`	`1807`	`SET SESSION AUTHORIZATION regress_sro_user;`
`1808`	`1808`	`CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int`
`1809`	`1809`	`IMMUTABLE LANGUAGE plpgsql AS $$`
`1810`	`1810`	`BEGIN`
`1811`		`-PERFORM unwanted_grant();`
	`1811`	`+PERFORMpublic.unwanted_grant();`
`1812`	`1812`	`RAISE WARNING 'owned';`
`1813`	`1813`	`RETURN 1;`
`1814`	`1814`	`EXCEPTION WHEN OTHERS THEN`

`‎src/test/regress/expected/vacuum.out`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ CLUSTER vaccluster;`
`64`	`64`	`CREATE FUNCTION do_analyze() RETURNS VOID VOLATILE LANGUAGE SQL`
`65`	`65`	`AS 'ANALYZE pg_am';`
`66`	`66`	`CREATE FUNCTION wrap_do_analyze(c INT) RETURNS INT IMMUTABLE LANGUAGE SQL`
`67`		`-AS 'SELECT $1 FROM do_analyze()';`
	`67`	`+AS 'SELECT $1 FROMpublic.do_analyze()';`
`68`	`68`	`CREATE INDEX ON vaccluster(wrap_do_analyze(i));`
`69`	`69`	`INSERT INTO vaccluster VALUES (1), (2);`
`70`	`70`	`ANALYZE vaccluster;`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1177,7 +1177,7 @@ SET SESSION AUTHORIZATION regress_sro_user;`
`1177`	`1177`	`CREATEFUNCTIONunwanted_grant() RETURNS void LANGUAGE sqlAS`
`1178`	`1178`	`'GRANT regress_priv_group2 TO regress_sro_user';`
`1179`	`1179`	`CREATEFUNCTIONmv_action() RETURNS bool LANGUAGE sqlAS`
`1180`		`-'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';`
	`1180`	`+'DECLARE c CURSOR WITH HOLD FOR SELECTpublic.unwanted_grant(); SELECT true';`
`1181`	`1181`	`-- REFRESH of this MV will queue a GRANT at end of transaction`
`1182`	`1182`	`CREATE MATERIALIZED VIEW sro_mvASSELECT mv_action() WITH NO DATA;`
`1183`	`1183`	`REFRESH MATERIALIZED VIEW sro_mv;`
`@@ -1188,12 +1188,12 @@ SET SESSION AUTHORIZATION regress_sro_user;`
`1188`	`1188`	`-- INSERT to this table will queue a GRANT at end of transaction`
`1189`	`1189`	`CREATETABLEsro_trojan_table ();`
`1190`	`1190`	`CREATEFUNCTIONsro_trojan() RETURNS trigger LANGUAGE plpgsqlAS`
`1191`		`-'BEGIN PERFORM unwanted_grant(); RETURN NULL; END';`
	`1191`	`+'BEGIN PERFORMpublic.unwanted_grant(); RETURN NULL; END';`
`1192`	`1192`	`CREATECONSTRAINT TRIGGER t AFTER INSERTON sro_trojan_table`
`1193`	`1193`	`INITIALLY DEFERRED FOR EACH ROW EXECUTE PROCEDURE sro_trojan();`
`1194`	`1194`	`-- Now, REFRESH will issue such an INSERT, queueing the GRANT`
`1195`	`1195`	`CREATE OR REPLACEFUNCTIONmv_action() RETURNS bool LANGUAGE sqlAS`
`1196`		`-'INSERT INTO sro_trojan_table DEFAULT VALUES; SELECT true';`
	`1196`	`+'INSERT INTOpublic.sro_trojan_table DEFAULT VALUES; SELECT true';`
`1197`	`1197`	`REFRESH MATERIALIZED VIEW sro_mv;`
`1198`	`1198`	`\c-`
`1199`	`1199`	`REFRESH MATERIALIZED VIEW sro_mv;`
`@@ -1204,7 +1204,7 @@ SET SESSION AUTHORIZATION regress_sro_user;`
`1204`	`1204`	`CREATEFUNCTIONunwanted_grant_nofail(int) RETURNSint`
`1205`	`1205`	`IMMUTABLE LANGUAGE plpgsqlAS $$`
`1206`	`1206`	`BEGIN`
`1207`		`-PERFORM unwanted_grant();`
	`1207`	`+PERFORMpublic.unwanted_grant();`
`1208`	`1208`	`RAISE WARNING'owned';`
`1209`	`1209`	`RETURN1;`
`1210`	`1210`	`EXCEPTION WHEN OTHERS THEN`

`‎src/test/regress/sql/vacuum.sql`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ CLUSTER vaccluster;`
`49`	`49`	`CREATEFUNCTIONdo_analyze() RETURNS VOID VOLATILE LANGUAGE SQL`
`50`	`50`	`AS'ANALYZE pg_am';`
`51`	`51`	`CREATEFUNCTIONwrap_do_analyze(cINT) RETURNSINT IMMUTABLE LANGUAGE SQL`
`52`		`-AS'SELECT $1 FROM do_analyze()';`
	`52`	`+AS'SELECT $1 FROMpublic.do_analyze()';`
`53`	`53`	`CREATEINDEXON vaccluster(wrap_do_analyze(i));`
`54`	`54`	`INSERT INTO vacclusterVALUES (1), (2);`
`55`	`55`	`ANALYZE vaccluster;`

0 commit comments

Comments

(0)

[8]ページ先頭

©2009-2025 Movatter.jp