Commit graph

346 commits

Author SHA1 Message Date
Noah Misch
82b7393eb4 Add error-throwing wrappers for the printf family of functions.
All known standard library implementations of these functions can fail
with ENOMEM.  A caller neglecting to check for failure would experience
missing output, information exposure, or a crash.  Check return values
within wrappers and code, currently just snprintf.c, that bypasses the
wrappers.  The wrappers do not return after an error, so their callers
need not check.  Back-patch to 9.0 (all supported versions).

Popular free software standard library implementations do take pains to
bypass malloc() in simple cases, but they risk ENOMEM for floating point
numbers, positional arguments, large field widths, and large precisions.
No specification demands such caution, so this commit regards every call
to a printf family function as a potential threat.

Injecting the wrappers implicitly is a compromise between patch scope
and design goals.  I would prefer to edit each call site to name a
wrapper explicitly.  libpq and the ECPG libraries would, ideally, convey
errors to the caller rather than abort().  All that would be painfully
invasive for a back-patched security fix, hence this compromise.

Security: CVE-2015-3166
2015-05-18 10:02:37 -04:00
Peter Eisentraut
6f8b6abd97 Translation updates
Source-Git-URL: git://git.postgresql.org/git/pgtranslation/messages.git
Source-Git-Hash: 7da40afeb612deb39a77da4071ea1d5800706863
2015-05-18 08:45:56 -04:00
Peter Eisentraut
b77b40d886 Translation updates
Source-Git-URL: git://git.postgresql.org/git/pgtranslation/messages.git
Source-Git-Hash: 47199c5813321fac9558fe6629fcb48989a28e44
2015-02-01 23:07:30 -05:00
Tom Lane
4bb45b9996 Fix some functions that were declared static then defined not-static.
Per testing with a compiler that whines about this.
2015-01-12 16:08:52 -05:00
Alvaro Herrera
753e62e17d Fix thinko in plpython error message 2015-01-06 15:16:29 -03:00
Tom Lane
658fad7ff0 Make plpython_unicode regression test work in more database encodings.
This test previously used a data value containing U+0080, and would
therefore fail if the database encoding didn't have an equivalent to
that; which only about half of our supported server encodings do.
We could fall back to using some plain-ASCII character, but that seems
like it's losing most of the point of the test.  Instead switch to using
U+00A0 (no-break space), which translates into all our supported encodings
except the four in the EUC_xx family.

Per buildfarm testing.  Back-patch to 9.1, which is as far back as this
test is expected to succeed everywhere.  (9.0 has the test, but without
back-patching some 9.1 code changes we could not expect to get consistent
results across platforms anyway.)
2014-06-03 12:02:18 -04:00
Tom Lane
582b41d6e2 PL/Python: Adjust the regression tests for Python 3.4
Back-patch commit d0765d50f4 into 9.3
and 9.2, which is as far back as we previously bothered to adjust the
regression tests for Python 3.3.  Per gripe from Honza Horak.
2014-06-01 15:03:18 -04:00
Tom Lane
83ed4598b2 On OS X, link libpython normally, ignoring the "framework" framework.
As of Xcode 5.0, Apple isn't including the Python framework as part of the
SDK-level files, which means that linking to it might fail depending on
whether Xcode thinks you've selected a specific SDK version.  According to
their Tech Note 2328, they've basically deprecated the framework method of
linking to libpython and are telling people to link to the shared library
normally.  (I'm pretty sure this is in direct contradiction to the advice
they were giving a few years ago, but whatever.)  Testing says that this
approach works fine at least as far back as OS X 10.4.11, so let's just
rip out the framework special case entirely.  We do still need a special
case to decide that OS X provides a shared library at all, unfortunately
(I wonder why the distutils check doesn't work ...).  But this is still
less of a special case than before, so it's fine.

Back-patch to all supported branches, since we'll doubtless be hearing
about this more as more people update to recent Xcode.
2014-05-30 18:18:20 -04:00
Bruce Momjian
0b44914c21 Remove tabs after spaces in C comments
This was not changed in HEAD, but will be done later as part of a
pgindent run.  Future pgindent runs will also do this.

Report by Tom Lane

Backpatch through all supported branches, but not HEAD
2014-05-06 11:26:27 -04:00
Tom Lane
6b3b15e534 Fix refcounting bug in PLy_modify_tuple().
We must increment the refcount on "plntup" as soon as we have the
reference, not sometime later.  Otherwise, if an error is thrown in
between, the Py_XDECREF(plntup) call in the PG_CATCH block removes a
refcount we didn't add, allowing the object to be freed even though
it's still part of the plpython function's parsetree.

This appears to be the cause of crashes seen on buildfarm member
prairiedog.  It's a bit surprising that we've not seen it fail repeatably
before, considering that the regression tests have been exercising the
faulty code path since 2009.

The real-world impact is probably minimal, since it's unlikely anyone would
be provoking the "TD["new"] is not a dictionary" error in production, and
that's the only case that is actually wrong.  Still, it's a bug affecting
the regression tests, so patch all supported branches.

In passing, remove dead variable "plstr", and demote "platt" to a local
variable inside the PG_TRY block, since we don't need to clean it up
in the PG_CATCH path.
2014-03-26 16:41:38 -04:00
Peter Eisentraut
67016c3970 Translation updates 2014-02-17 16:56:04 -05:00
Noah Misch
1d701d28a7 Prevent privilege escalation in explicit calls to PL validators.
The primary role of PL validators is to be called implicitly during
CREATE FUNCTION, but they are also normal functions that a user can call
explicitly.  Add a permissions check to each validator to ensure that a
user cannot use explicit validator calls to achieve things he could not
otherwise achieve.  Back-patch to 8.4 (all supported versions).
Non-core procedural language extensions ought to make the same two-line
change to their own validators.

Andres Freund, reviewed by Tom Lane and Noah Misch.

Security: CVE-2014-0061
2014-02-17 09:33:33 -05:00
Peter Eisentraut
ff61dd2066 Translation updates 2013-12-02 00:08:10 -05:00
Peter Eisentraut
4dd5c312fc Translation updates 2013-10-07 16:17:51 -04:00
Tom Lane
c0977b465a Fix error handling in PLy_spi_execute_fetch_result().
If an error is thrown out of the datatype I/O functions called by this
function, we need to do subtransaction cleanup, which the previous coding
entirely failed to do.  Fortunately, both existing callers of this function
already have proper cleanup logic, so re-throwing the exception is enough.

Also, postpone creation of the resultset tupdesc until after the I/O
conversions are complete, so that we won't leak memory in TopMemoryContext
when such an error happens.
2013-07-20 12:45:02 -04:00
Heikki Linnakangas
c4f386f51d Silence compiler warning in assertion-enabled builds.
With -Wtype-limits, gcc correctly points out that size_t can never be < 0.
Backpatch to 9.3 and 9.2. It's been like this forever, but in <= 9.1 you got
a lot other warnings with -Wtype-limits anyway (at least with my version of
gcc).

Andres Freund
2013-07-02 17:51:50 +03:00
Peter Eisentraut
0e1bee9ff4 Translation updates 2013-02-04 00:01:19 -05:00
Tom Lane
308711afc7 Fix plpython's handling of functions used as triggers on multiple tables.
plpython tried to use a single cache entry for a trigger function, but it
needs a separate cache entry for each table the trigger is applied to,
because there is table-dependent data in there.  This was done correctly
before 9.1, but commit 46211da1b8 broke it
by simplifying the lookup key from "function OID and triggered table OID"
to "function OID and is-trigger boolean".  Go back to using both OIDs
as the lookup key.  Per bug report from Sandro Santilli.

Andres Freund
2013-01-25 16:59:00 -05:00
Peter Eisentraut
562fca74a1 Translation updates 2012-12-03 08:00:46 -05:00
Tom Lane
770556d6c6 Adjust PL/Python regression tests some more for Python 3.3.
Commit 2cfb1c6f77 fixed some issues caused
by Python 3.3 choosing to iterate through dict entries in a different order
than before.  But here's another one: the test cases adjusted here made two
bad entries in a dict and expected the one complained of would always be
the same.

Possibly this should be back-patched further than 9.2, but there seems
little point unless the earlier fix is too.
2012-09-08 17:39:12 -04:00
Peter Eisentraut
1bc414ca76 Translation updates 2012-09-06 00:52:38 -04:00
Alvaro Herrera
dc1a36f11a add #includes to plpy_subxactobject.h to make it compile standalone 2012-08-28 16:14:31 -04:00
Peter Eisentraut
f3df4cd22c Translation updates 2012-08-23 21:24:06 -04:00
Peter Eisentraut
2152001773 Translation updates 2012-08-14 16:37:40 -04:00
Heikki Linnakangas
d9c77e2493 Perform conversion from Python unicode to string/bytes object via UTF-8.
We used to convert the unicode object directly to a string in the server
encoding by calling Python's PyUnicode_AsEncodedString function. In other
words, we used Python's routines to do the encoding. However, that has a
few problems. First of all, it required keeping a mapping table of Python
encoding names and PostgreSQL encodings. But the real killer was that Python
doesn't support EUC_TW and MULE_INTERNAL encodings at all.

Instead, convert the Python unicode object to UTF-8, and use PostgreSQL's
encoding conversion functions to convert from UTF-8 to server encoding. We
were already doing the same in the other direction in PLyUnicode_FromString,
so this is more consistent, too.

Note: This makes SQL_ASCII to behave more leniently. We used to map
SQL_ASCII to Python's 'ascii', which on Python means strict 7-bit ASCII
only, so you got an error if the python string contained anything but pure
ASCII. You no longer get an error; you get the UTF-8 representation of the
string instead.

Backpatch to 9.0, where these conversions were introduced.

Jan Urbański
2012-08-06 14:14:44 +03:00
Peter Eisentraut
095bcf93a8 Translation updates 2012-08-02 23:01:01 +03:00
Heikki Linnakangas
7c58a5f246 Revert part of the previous patch that avoided using PLy_elog().
That caused the plpython_unicode regression test to fail on SQL_ASCII
encoding, as evidenced by the buildfarm. The reason is that with the patch,
you don't get the detail in the error message that you got before. That
detail is actually very informative, so rather than just adjust the expected
output, let's revert that part of the patch for now to make the buildfarm
green again, and figure out some other way to avoid the recursion of
PLy_elog() that doesn't lose the detail.
2012-07-05 23:43:46 +03:00
Heikki Linnakangas
773288016d Fix mapping of PostgreSQL encodings to Python encodings.
Windows encodings, "win1252" and so forth, are named differently in Python,
like "cp1252". Also, if the PyUnicode_AsEncodedString() function call fails
for some reason, use a plain ereport(), not a PLy_elog(), to report that
error. That avoids recursion and crash, if PLy_elog() tries to call
PLyUnicode_Bytes() again.

This fixes bug reported by Asif Naeem. Backpatch down to 9.0, before that
plpython didn't even try these conversions.

Jan Urbański, with minor comment improvements by me.
2012-07-05 22:31:47 +03:00
Bruce Momjian
2bc09ff499 Run newly-configured perltidy script on Perl files.
Run on HEAD and 9.2.
2012-07-04 21:47:48 -04:00
Bruce Momjian
927d61eeff Run pgindent on 9.2 source tree in preparation for first 9.3
commit-fest.
2012-06-10 15:20:04 -04:00
Peter Eisentraut
2cfb1c6f77 PL/Python: Adjust the regression tests for Python 3.3
The string representation of ImportError changed.  Remove printing
that; it's not necessary for the test.

The order in which members of a dict are printed changed.  But this
was always implementation-dependent, so we have just been lucky for a
long time.  Do the printing the hard way to ensure sorted order.
2012-05-11 23:04:47 +03:00
Peter Eisentraut
a97207b690 PL/Python: Fix slicing support for result objects for Python 3
The old way of implementing slicing support by implementing
PySequenceMethods.sq_slice no longer works in Python 3.  You now have
to implement PyMappingMethods.mp_subscript.  Do this by simply
proxying the call to the wrapped list of result dictionaries.
Consolidate some of the subscripting regression tests.

Jan Urbański
2012-05-10 20:40:30 +03:00
Peter Eisentraut
1540d3bf4d PL/Python: Update incorrect comment
Jan Urbański
2012-05-10 20:40:30 +03:00
Peter Eisentraut
1d158d7f98 Python 2.2 is no longer supported
It was already on its last legs, and it turns out that it was
accidentally broken in commit 89e850e6fd
and no one cared.  So remove the rest the support for it and update
the documentation to indicate that Python 2.3 is now required.
2012-05-10 20:02:57 +03:00
Peter Eisentraut
e6c2e8cb87 PL/Python: Improve test coverage
Add test cases for inline handler of plython2u (when using that
language name), and for result object element assignment.  There is
now at least one test case for every top-level functionality, except
plpy.Fatal (annoying to use in regression tests) and result object
slice retrieval and slice assignment (which are somewhat broken).
2012-05-02 21:09:03 +03:00
Peter Eisentraut
52aa334fcd PL/Python: Fix crash in functions returning SETOF and using SPI
Allocate PLyResultObject.tupdesc in TopMemoryContext, because its
lifetime is the lifetime of the Python object and it shouldn't be
freed by some other memory context, such as one controlled by SPI.  We
trust that the Python object will clean up its own memory.

Before, this would crash the included regression test case by trying
to use memory that was already freed.

reported by Asif Naeem, analysis by Tom Lane
2012-05-02 20:59:51 +03:00
Robert Haas
e01e66f808 More duplicate word removal. 2012-05-02 09:28:16 -04:00
Peter Eisentraut
ba3e4157a7 PL/Python: Accept strings in functions returning composite types
Before 9.1, PL/Python functions returning composite types could return
a string and it would be parsed using record_in.  The 9.1 changes made
PL/Python only expect dictionaries, tuples, or objects supporting
getattr as output of composite functions, resulting in a regression
and a confusing error message, as the strings were interpreted as
sequences and the code for transforming lists to database tuples was
used.  Fix this by treating strings separately as before, before
checking for the other types.

The reason why it's important to support string to database tuple
conversion is that trigger functions on tables with composite columns
get the composite row passed in as a string (from record_out).
Without supporting converting this back using record_in, this makes it
impossible to implement pass-through behavior for these columns, as
PL/Python no longer accepts strings for composite values.

A better solution would be to fix the code that transforms composite
inputs into Python objects to produce dictionaries that would then be
correctly interpreted by the Python->PostgreSQL counterpart code.  But
that would be too invasive to backpatch to 9.1, and it is too late in
the 9.2 cycle to attempt it.  It should be revisited in the future,
though.

Reported as bug #6559 by Kirill Simonov.

Jan Urbański
2012-04-26 21:03:48 +03:00
Peter Eisentraut
65ca8e68b7 PL/Python: Improve error messages 2012-04-25 21:11:59 +03:00
Peter Eisentraut
0f48e06751 PL/Python: Improve documentation of nrows() method
Clarify that nrows() is the number of rows processed, versus the
number of rows returned, which can be obtained using len.  Also add
tests about that.
2012-04-16 11:30:32 +03:00
Peter Eisentraut
c03523ed3f PL/Python: Fix crash when colnames() etc. called without result set
The result object methods colnames() etc. would crash when called
after a command that did not produce a result set.  Now they throw an
exception.

discovery and initial patch by Jean-Baptiste Quenot
2012-04-15 20:23:08 +03:00
Tom Lane
5cd72c7a7c Patch some corner-case bugs in pl/python.
Dave Malcolm of Red Hat is working on a static code analysis tool for
Python-related C code.  It reported a number of problems in plpython,
most of which were failures to check for NULL results from object-creation
functions, so would only be an issue in very-low-memory situations.

Patch in HEAD and 9.1.  We could go further back but it's not clear that
these issues are important enough to justify the work.

Jan Urbański
2012-03-13 15:26:32 -04:00
Tom Lane
a14fa84693 Fix minor memory leak in PLy_typeinfo_dealloc().
We forgot to free the per-attribute array element descriptors.

Jan Urbański
2012-03-13 13:28:11 -04:00
Tom Lane
ed75380bda Create a stack of pl/python "execution contexts".
This replaces the former global variable PLy_curr_procedure, and provides
a place to stash per-call-level information.  In particular we create a
per-call-level scratch memory context.

For the moment, the scratch context is just used to avoid leaking memory
from datatype output function calls in PLyDict_FromTuple.  There probably
will be more use-cases in future.

Although this is a fix for a pre-existing memory leakage bug, it seems
sufficiently invasive to not want to back-patch; it feels better as part
of the major rearrangement of plpython code that we've already done as
part of 9.2.

Jan Urbański
2012-03-13 13:19:06 -04:00
Tom Lane
bef47331b6 Code review for plpgsql fn_signature patch.
Don't quote the output of format_procedure(); it's already quoted quite
enough.  Remove the fn_name field, which was now just dead weight.  Fix
remaining expected-output files.
2012-02-01 02:14:37 -05:00
Robert Haas
5ae88c65da Adjust expected regression test outputs for PL/python.
This got broken by commit 4c6cedd1b0,
which caused PL/pgsql error messages to print the function
signature, not just the name.

Per buildfarm.
2012-01-31 13:16:38 -05:00
Peter Eisentraut
ee7fa66b19 PL/Python: Add result metadata functions
Add result object functions .colnames, .coltypes, .coltypmods to
obtain information about the result column names and types, which was
previously not possible in the PL/Python SPI interface.

reviewed by Abhijit Menon-Sen
2012-01-30 21:38:52 +02:00
Peter Eisentraut
26e89e7f23 Fix typos 2012-01-10 22:49:17 +02:00
Bruce Momjian
e126958c2e Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
Peter Eisentraut
f9de1e9a96 PL/Python: Add argument names to function declarations
For easier source reading
2011-12-29 22:55:49 +02:00