Install a data-type-based solution for protecting pg_get_expr().

Since the code underlying pg_get_expr() is not secure against malformed
input, and can't practically be made so, we need to prevent miscreants
from feeding arbitrary data to it.  We can do this securely by declaring
pg_get_expr() to take a new datatype "pg_node_tree" and declaring the
system catalog columns that hold nodeToString output to be of that type.
There is no way at SQL level to create a non-null value of type pg_node_tree.
Since the backend-internal operations that fill those catalog columns
operate below the SQL level, they are oblivious to the datatype relabeling
and don't need any changes.

doc/src/sgml/catalogs.sgml

@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.227 2010/08/25 18:18:41 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/catalogs.sgml,v 2.228 2010/09/03 01:34:54 tgl Exp $ -->
 <!--
  Documentation of the system catalogs, directed toward PostgreSQL developers
  -->
@@ -797,7 +797,7 @@
 
      <row>
       <entry><structfield>adbin</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>The internal representation of the column default value</entry>
      </row>
@@ -1917,7 +1917,7 @@
 
      <row>
       <entry><structfield>conbin</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>If a check constraint, an internal representation of the expression</entry>
      </row>
@@ -2915,7 +2915,7 @@
 
      <row>
       <entry><structfield>indexprs</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>
        Expression trees (in <function>nodeToString()</function>
@@ -2928,7 +2928,7 @@
 
      <row>
       <entry><structfield>indpred</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>
        Expression tree (in <function>nodeToString()</function>
@@ -3980,7 +3980,7 @@
 
      <row>
       <entry><structfield>proargdefaults</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>
        Expression trees (in <function>nodeToString()</function> representation)
@@ -4129,7 +4129,7 @@
 
      <row>
       <entry><structfield>ev_qual</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>
        Expression tree (in the form of a
@@ -4140,7 +4140,7 @@
 
      <row>
       <entry><structfield>ev_action</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>
        Query tree (in the form of a
@@ -4839,7 +4839,7 @@
 
      <row>
       <entry><structfield>tgqual</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry>Expression tree (in <function>nodeToString()</function>
        representation) for the trigger's <literal>WHEN</> condition, or null
@@ -5622,10 +5622,11 @@
 
      <row>
       <entry><structfield>typdefaultbin</structfield></entry>
-      <entry><type>text</type></entry>
+      <entry><type>pg_node_tree</type></entry>
       <entry></entry>
       <entry><para>
-       If <structfield>typdefaultbin</> is not null, it is the <function>nodeToString()</function>
+       If <structfield>typdefaultbin</> is not null, it is the
+       <function>nodeToString()</function>
        representation of a default expression for the type.  This is
        only used for domains.
       </para></entry>
@@ -5642,7 +5643,7 @@
        default expression represented by <structfield>typdefaultbin</>.  If
        <structfield>typdefaultbin</> is null and <structfield>typdefault</> is
        not, then <structfield>typdefault</> is the external representation of
-       the type's default value, which might be fed to the type's input
+       the type's default value, which can be fed to the type's input
        converter to produce a constant.
       </para></entry>
      </row>

doc/src/sgml/func.sgml

@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.531 2010/09/01 18:22:29 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.532 2010/09/03 01:34:54 tgl Exp $ -->
 
  <chapter id="functions">
   <title>Functions and Operators</title>
@@ -12746,13 +12746,13 @@ SELECT pg_type_is_visible('myschema.widget'::regtype);
        <entry>get definition of a constraint</entry>
       </row>
       <row>
-       <entry><literal><function>pg_get_expr</function>(<parameter>expr_text</parameter>, <parameter>relation_oid</>)</literal></entry>
+       <entry><literal><function>pg_get_expr</function>(<parameter>pg_node_tree</parameter>, <parameter>relation_oid</>)</literal></entry>
        <entry><type>text</type></entry>
        <entry>decompile internal form of an expression, assuming that any Vars
        in it refer to the relation indicated by the second parameter</entry>
       </row>
       <row>
-       <entry><literal><function>pg_get_expr</function>(<parameter>expr_text</parameter>, <parameter>relation_oid</>, <parameter>pretty_bool</>)</literal></entry>
+       <entry><literal><function>pg_get_expr</function>(<parameter>pg_node_tree</parameter>, <parameter>relation_oid</>, <parameter>pretty_bool</>)</literal></entry>
        <entry><type>text</type></entry>
        <entry>decompile internal form of an expression, assuming that any Vars
        in it refer to the relation indicated by the second parameter</entry>