Movatterモバイル変換

HardenPQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch)§§§§§§§

Data-quoting functions supplied bylibpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to aPostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed throughpsql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

Applications and drivers that quote untrusted input without using theselibpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

ThePostgreSQL Project thanks Stephen Fewer for reporting this problem. (CVE-2025-1094)

Exclude parallel workers from connection privilege checks and limits (Tom Lane)§

Do not checkdatallowconn,rolcanlogin, andACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforceReservedConnections,datconnlimit, androlconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

KeepTransactionXmin in sync withMyProc->xmin (Heikki Linnakangas)§

This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient“could not access status of transaction” errors.

Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas)§

This could result, for example, in failure to use a newly-created function within an existing session.

Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch)§

Fix data corruption when relation truncation fails (Thomas Munro)§§§

The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

Prevent checkpoints from starting during relation truncation (Robert Haas)§

This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

Userename() notlink()/unlink() to rename files (Nathan Bossart)§

The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.

Avoid possibly losing an update ofpg_database.datfrozenxid whenVACUUM runs concurrently with aREASSIGN OWNED that changes that database's owner (Kirill Reshke)§

Fix incorrecttg_updatedcols values passed toAFTER UPDATE triggers (Tom Lane)§

In some cases thetg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

Also, prevent memory bloat caused by making too many copies of thetg_updatedcols bitmap.

Fix mis-processing ofto_timestamp'sFFn format codes (Tom Lane)§

An integer format code immediately precedingFFn would consume all available digits, leaving none forFFn.

When deparsing anXMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed)§

Include theldapscheme option inpg_hba_file_rules() output (Laurenz Albe)§§

Don't mergeUNION operations if their column collations aren't consistent (Tom Lane)§

Previously we ignored collations when deciding if it's safe to mergeUNION steps into a single N-wayUNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

Fix missed expression processing for partition pruning steps (Tom Lane)§

This oversight could lead to“unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

Allow dshash tables to grow past 1GB (Matthias van de Meent)§

This avoids errors like“invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

Avoid possible integer overflow inbringetbitmap() (James Hunter, Evgeniy Gorbanyov)§

Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin)§

This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch)§

This fixes some unlikely cases that would result in“PANIC: proc_exit() called in child process”.

Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane)§§

In some cases a data type could be dropped while references to its OID still remain inpg_amop orpg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, andpg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added toDROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang)§§

Avoid low-probability crash on out-of-memory, due to missing check for failure return frommalloc() (Karina Litskevich)§

Avoid integer overflow while testingwal_skip_threshold condition (Tom Lane)§

A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point ofwal_skip_threshold. (This only matters whenwal_level is set tominimal, else a WAL copy is required anyway.)

Fix unsafe order of operations during cache lookups (Noah Misch)§

The only known consequence was a usually-harmless“you don't own a lock of type ExclusiveLock” warning duringGRANT TABLESPACE.

Fix possible“failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro)§

This could occur as a consequence of inconsistency about the default setting of-moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

Fix handling of Windows junction points that are not ofPostgreSQL origin (Thomas Munro)§§

Previously,initdb would fail if the path to the data directory included junction points whose expansion isn't in“drive absolute” format, or whose expansion points to another junction point.

Fix assertion failure inWITH RECURSIVE ... UNION queries (David Rowley)§

Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane)§

Avoid edge-case assertion failure in parallel query startup (Tom Lane)§

Avoid rare assertion failure during relation truncation (Heikki Linnakangas)§

InNULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane)§

The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as theNULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

Repair memory leaks in PL/Python (Mat Arye, Tom Lane)§

Repeated use ofPLyPlan.execute orplpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut)§

In theecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane)§

Inecpg, fix compile-time warnings about unsupported use ofCOPY ... FROM STDIN (Ryo Kanbayashi)§

Previously, the intended warning was not issued due to a typo.

Fixpsql to safely handle file path names that are encoded in SJIS (Tom Lane)§

Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

Fix use of wrong version ofpqsignal() inpgbench andpsql (Fujii Masao, Tom Lane)§

This error could lead to misbehavior when using the-T option inpgbench or the\watch command inpsql, due to interrupted system calls not being resumed as expected.

Fix misexecution of some nested\if constructs inpgbench (Michail Nikolaev)§

An\if command appearing within a false (not-being-executed)\if branch was incorrectly treated the same as\elif.

Inpgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao)§§

Makepg_controldata more robust against corruptedpg_control files (Ilyasov Ian, Anton Voloshin)§

Sincepg_controldata will attempt to print the contents ofpg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

Fix possible crash inpg_dump with identity sequences attached to tables that are extension members (Tom Lane)§

Fixpg_basebackup to correctly handlepg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro)§§

Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane)§

On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a-march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

Duringconfigure, if a C23 compiler is detected, try asking for C17 (Thomas Munro)§

PostgreSQL versions before v16 will not compile under C23 rules. If the chosen compiler defaults to C23 or later, try adding a-std=gnu17 switch to change that. (If this won't work for your compiler, manually specifyCFLAGS with a suitable switch.)

Update time zone data files totzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane)§