sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-01 00:05:40 -04:00
Code Issues Projects Releases Wiki Activity
PostgreSQL/contrib
History
Tom Lane adc97d03b9 Prevent access to external files/URLs via contrib/xml2's xslt_process(). 
libxslt offers the ability to read and write both files and URLs through
stylesheet commands, thus allowing unprivileged database users to both read
and write data with the privileges of the database server.  Disable that
through proper use of libxslt's security options.

Also, remove xslt_process()'s ability to fetch documents and stylesheets
from external files/URLs.  While this was a documented "feature", it was
long regarded as a terrible idea.  The fix for CVE-2012-3489 broke that
capability, and rather than expend effort on trying to fix it, we're just
going to summarily remove it.

While the ability to write as well as read makes this security hole
considerably worse than CVE-2012-3489, the problem is mitigated by the fact
that xslt_process() is not available unless contrib/xml2 is installed,
and the longstanding warnings about security risks from that should have
discouraged prudent DBAs from installing it in security-exposed databases.

Reported and fixed by Peter Eisentraut.

Security: CVE-2012-3488
2012-08-14 18:31:18 -04:00
..
adminpack
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
auth_delay
pgindent run before PG 9.1 beta 1.
2011-04-10 11:42:00 -04:00
auto_explain
Run pgindent on 9.2 source tree in preparation for first 9.3
2012-06-10 15:20:04 -04:00
btree_gin
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
btree_gist
Reduce messages about implicit indexes and sequences to DEBUG1.
2012-07-04 20:35:29 -04:00
chkpass
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
citext
Reduce messages about implicit indexes and sequences to DEBUG1.
2012-07-04 20:35:29 -04:00
cube
Replace int2/int4 in C code with int16/int32
2012-06-25 01:51:46 +03:00
dblink
Replace libpq's "row processor" API with a "single row" mode.
2012-08-02 13:10:30 -04:00
dict_int
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
dict_xsyn
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
dummy_seclabel
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
earthdistance
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
file_fdw
Skip text->binary conversion of unnecessary columns in contrib/file_fdw.
2012-07-12 16:26:59 -04:00
fuzzystrmatch
Even more duplicate word removal, in the spirit of the season
2012-05-02 20:56:03 +03:00
hstore
Remove unreachable code
2012-07-16 22:15:03 +03:00
intagg
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
intarray
Remove unreachable code
2012-07-16 22:15:03 +03:00
isn
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
lo
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
ltree
Remove unreachable code
2012-07-16 22:15:03 +03:00
oid2name
Make oid2name, pgbench, and vacuumlo set fallback_application_name.
2012-07-04 15:39:33 -04:00
pageinspect
Replace XLogRecPtr struct with a 64-bit integer.
2012-06-24 19:19:45 +03:00
passwordcheck
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
pg_archivecleanup
Make documentation of --help and --version options more consistent
2012-06-18 02:46:59 +03:00
pg_buffercache
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
pg_freespacemap
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
pg_standby
Make documentation of --help and --version options more consistent
2012-06-18 02:46:59 +03:00
pg_stat_statements
Make new event trigger facility actually do something.
2012-07-20 11:39:01 -04:00
pg_test_fsync
Run pgindent on 9.2 source tree in preparation for first 9.3
2012-06-10 15:20:04 -04:00
pg_test_timing
Run pgindent on 9.2 source tree in preparation for first 9.3
2012-06-10 15:20:04 -04:00
pg_trgm
Replace int2/int4 in C code with int16/int32
2012-06-25 01:51:46 +03:00
pg_upgrade
Prevent pg_upgrade from crashing if it can't write to the current
2012-08-10 17:14:48 -04:00
pg_upgrade_support
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
pgbench
Make pgbench vacuum before building indexes.
2012-07-23 14:42:35 -04:00
pgcrypto
Run pgindent on 9.2 source tree in preparation for first 9.3
2012-06-10 15:20:04 -04:00
pgrowlocks
Throw a useful error message if an extension script file is fed to psql.
2011-10-12 15:45:03 -04:00
pgstattuple
Reduce messages about implicit indexes and sequences to DEBUG1.
2012-07-04 20:35:29 -04:00
seg
Run newly-configured perltidy script on Perl files.
2012-07-04 21:47:49 -04:00
sepgsql
Reduce messages about implicit indexes and sequences to DEBUG1.
2012-07-04 20:35:29 -04:00
spi
Run pgindent on 9.2 source tree in preparation for first 9.3
2012-06-10 15:20:04 -04:00
sslinfo
Lots of doc corrections.
2012-04-23 22:43:09 -04:00
start-scripts
Support Linux's oom_score_adj API as well as the older oom_adj API.
2012-06-13 15:35:52 -04:00
tablefunc
Reduce messages about implicit indexes and sequences to DEBUG1.
2012-07-04 20:35:29 -04:00
tcn
Triggered change notifications.
2012-01-19 23:15:15 -05:00
test_parser
Fix one-byte buffer overrun in contrib/test_parser.
2012-01-09 19:56:27 -05:00
tsearch2
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
unaccent
Fix some typos
2012-04-22 19:23:47 +03:00
uuid-ossp
Update copyright notices for year 2012.
2012-01-01 18:01:58 -05:00
vacuumlo
Make oid2name, pgbench, and vacuumlo set fallback_application_name.
2012-07-04 15:39:33 -04:00
xml2
Prevent access to external files/URLs via contrib/xml2's xslt_process().
2012-08-14 18:31:18 -04:00
contrib-global.mk
Remove cvs keywords from all files.
2010-09-20 22:08:53 +02:00
Makefile
pg_test_timing utility, to measure clock monotonicity and timing cost.
2012-03-27 16:14:00 -04:00
README
Update contrib/README
2012-04-14 09:29:54 +03:00

README 

The PostgreSQL contrib tree
---------------------------

This subtree contains porting tools, analysis utilities, and plug-in
features that are not part of the core PostgreSQL system, mainly
because they address a limited audience or are too experimental to be
part of the main source tree.  This does not preclude their
usefulness.

User documentation for each module appears in the main SGML
documentation.

When building from the source distribution, these modules are not
built automatically, unless you build the "world" target.  You can
also build and install them all by running "gmake all" and "gmake
install" in this directory; or to build and install just one selected
module, do the same in that module's subdirectory.

Some directories supply new user-defined functions, operators, or
types.  To make use of one of these modules, after you have installed
the code you need to register the new SQL objects in the database
system by executing a CREATE EXTENSION command.  In a fresh database,
you can simply do

    CREATE EXTENSION module_name;

See the PostgreSQL documentation for more information about this
procedure.