1
0
mirror of https://github.com/postgres/postgres.git synced 2025-08-25 20:23:07 +03:00
Commit Graph

4464 Commits

Author SHA1 Message Date
Tom Lane
de59c01f26 Stamp release 7.4.16.
Security: CVE-2007-0555, CVE-2007-0556
2007-02-02 00:15:35 +00:00
Tom Lane
abeae11765 Update release notes for security-related releases in all active branches.
Security: CVE-2007-0555, CVE-2007-0556
2007-02-02 00:11:02 +00:00
Bruce Momjian
230ae1a106 Fix markup because older releases couldn't link to the reference section. 2007-01-06 04:17:15 +00:00
Bruce Momjian
c1478c8f57 Remove extra character added to top. 2007-01-06 03:36:32 +00:00
Bruce Momjian
77c7616482 Fix markup because lc_numeric didn't have an SGML tag in this release. 2007-01-06 03:14:32 +00:00
Tom Lane
6faab66422 Minor copy-editing for release note updates. 2007-01-05 22:35:13 +00:00
Bruce Momjian
37a86cd254 Stamp release 7.4.15. 2007-01-05 20:53:11 +00:00
Bruce Momjian
e105a651f7 Create release notes for 7.4.15. 2007-01-05 20:02:55 +00:00
Tom Lane
1d5ad22c32 A bit of copy-editing on back-branch release notes. 2006-10-11 20:56:21 +00:00
Bruce Momjian
10d46101f9 Stamp releases 7.3.16, 7.4.14, 8.0.9, and 8.1.5. 2006-10-09 23:38:34 +00:00
Bruce Momjian
f18ace69dc Update release notes for releases 7.3.16, 7.4.14, 8.0.9, and 8.1.5. 2006-10-09 23:23:11 +00:00
Tom Lane
e0c6d9761c date_trunc also accepts 'quarter'. Noted by Yoshihisa Nakano. 2006-10-01 18:54:57 +00:00
Alvaro Herrera
d7295afe5e Fix confusion between COPY FROM and COPY TO, per Gavin Sharry and Arul Shaji. 2006-07-31 01:09:52 +00:00
Bruce Momjian
edec862bb6 Costmetic fix for bug template version stamp. 2006-05-22 01:34:20 +00:00
Tom Lane
d6a74fe494 Update release notes for upcoming releases. 2006-05-21 21:50:02 +00:00
Bruce Momjian
5421969f72 Stamp releases 7.3.15, 7.4.13, and 8.0.8. 2006-05-21 20:28:26 +00:00
Tom Lane
96871fc236 Modify libpq's string-escaping routines to be aware of encoding considerations
and standard_conforming_strings.  The encoding changes are needed for proper
escaping in multibyte encodings, as per the SQL-injection vulnerabilities
noted in CVE-2006-2313 and CVE-2006-2314.  Concurrent fixes are being applied
to the server to ensure that it rejects queries that may have been corrupted
by attempted SQL injection, but this merely guarantees that unpatched clients
will fail rather than allow injection.  An actual fix requires changing the
client-side code.  While at it we have also fixed these routines to understand
about standard_conforming_strings, so that the upcoming changeover to SQL-spec
string syntax can be somewhat transparent to client code.

Since the existing API of PQescapeString and PQescapeBytea provides no way to
inform them which settings are in use, these functions are now deprecated in
favor of new functions PQescapeStringConn and PQescapeByteaConn.  The new
functions take the PGconn to which the string will be sent as an additional
parameter, and look inside the connection structure to determine what to do.
So as to provide some functionality for clients using the old functions,
libpq stores the latest encoding and standard_conforming_strings values
received from the backend in static variables, and the old functions consult
these variables.  This will work reliably in clients using only one Postgres
connection at a time, or even multiple connections if they all use the same
encoding and string syntax settings; which should cover many practical
scenarios.

Clients that use homebrew escaping methods, such as PHP's addslashes()
function or even hardwired regexp substitution, will require extra effort
to fix :-(.  It is strongly recommended that such code be replaced by use of
PQescapeStringConn/PQescapeByteaConn if at all feasible.
2006-05-21 20:20:24 +00:00
Tom Lane
2e319b0e40 Add a new GUC parameter backslash_quote, which determines whether the SQL
parser will allow "\'" to be used to represent a literal quote mark.  The
"\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do.  Hence
backslash_quote allows the settings "on", "off", and "safe_encoding",
the last meaning to allow "\'" only if client_encoding is a valid server
encoding.  That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks as per
CVE-2006-2314 (further details will be published after release).  The
"on" setting is available for backward compatibility, but it must not be
used with clients that are exposed to untrusted input.

Thanks to Akio Ishida and Yasuo Ohgaki for identifying this security issue.
2006-05-21 20:11:58 +00:00
Tom Lane
8cef661bcf Update release notes. 2006-02-12 22:36:05 +00:00
Bruce Momjian
86b2da894a Update FAQ latest version 2006-02-12 18:50:26 +00:00
Bruce Momjian
81c303c514 Stamp releases for 2006-02-14 release 2006-02-12 18:41:39 +00:00
Bruce Momjian
dd56158eef Update release notes for 2006-02-14 release 2006-02-12 18:23:22 +00:00
Tom Lane
e9b0c2d4bd Release-note updates and copy editing. 2006-01-06 03:00:34 +00:00
Bruce Momjian
f1f15af055 New pgcrypto item wording. 2006-01-05 15:17:40 +00:00
Bruce Momjian
877ecee373 Wording improvements. 2006-01-05 15:11:33 +00:00
Bruce Momjian
f8c7c069b5 Improve markup. 2006-01-05 14:52:58 +00:00
Bruce Momjian
721205b51c *** empty log message *** 2006-01-05 05:22:09 +00:00
Bruce Momjian
12693c6476 Stamp release 7.4.11. 2006-01-05 03:59:48 +00:00
Tom Lane
9c8c45e218 Stamp 7.4.10. 2005-12-09 20:53:26 +00:00
Tom Lane
c8457e0fb8 Add release notes for back branches (7.3 and up).
Also minor improvements to 8.1.1 release notes.
2005-12-09 20:40:56 +00:00
Peter Eisentraut
d45693fb55 Documentation fix: s/event_object_name/event_object_table/g 2005-12-08 20:44:18 +00:00
Bruce Momjian
48fabd257f Properly document return value of strpos(). 2005-11-16 03:56:52 +00:00
Tom Lane
31d276d0ed COPY's test for read-only transaction was backward; it prohibited COPY TO
where it should prohibit COPY FROM.  Found by Alon Goldshuv.
2005-10-03 23:43:45 +00:00
Tom Lane
4082f5e34f Stamp release 7.4.9. 2005-10-03 17:14:24 +00:00
Tom Lane
fd366be49a Update release notes for pending back-branch releases. 2005-10-03 16:05:09 +00:00
Neil Conway
e3523f52f7 Fix a mistake in the documentation for SPI_getbinval(), per Michael Fuhr. 2005-09-12 18:51:29 +00:00
Tom Lane
fe88b2043a Repair error in description of nonblocking usage of PQgetCopyData().
Per Volkan Yazici.
2005-06-09 19:08:47 +00:00
Tom Lane
103376e075 Update release notes for upcoming re-releases. 2005-05-09 00:10:22 +00:00
Tom Lane
26f64e4c7a Stamp release 7.4.8. 2005-05-05 20:08:35 +00:00
Tom Lane
cff25fa049 Alter the signature for encoding conversion functions to declare the
output area as INTERNAL not CSTRING.  This is to prevent people from
calling the functions by hand.  This is a permanent solution for the
back branches but I hope it is just a stopgap for HEAD.
2005-05-03 19:18:31 +00:00
Tom Lane
510f058932 Document that only a table's owner may TRUNCATE it. Per Keith Worthington. 2005-02-22 19:06:49 +00:00
Tom Lane
6508888ded Recommend security@postgresql.org as the contact point for security-related bugs. 2005-01-30 21:32:10 +00:00
Tom Lane
9c1bb68356 Stamp release 7.4.7. 2005-01-30 19:32:22 +00:00
Tom Lane
f3610577bd We haven't had a fixed limit on rule recursion depth since 7.3 ...
but the documentation still said so.
2005-01-29 23:46:16 +00:00
Tom Lane
7447537803 Stamp release 7.4.6. 2004-10-22 00:26:24 +00:00
Tom Lane
25d1755a29 Update obsolete comments about COPY vs INSERT options, per Uwe Schroeder. 2004-10-21 22:49:04 +00:00
Tom Lane
66343dde64 Put the brackets in the right places in timestamp entries in table 8-1.
Spotted by Josh Purinton.
2004-09-18 15:28:16 +00:00
Neil Conway
6090b70ace Due to popular domand, backport fix for a typo in the SELECT reference
page, per Thomas F. O'Connell.
2004-09-13 01:59:35 +00:00
Tom Lane
63398a0381 Fix bogus example for bit-string XOR (already fixed in HEAD).
Per Grzegorz Wojdyla.
2004-09-11 16:15:26 +00:00
Tom Lane
0bdacf50f1 Brand 7.4.5 ... now that was our shortest-lived release ever ... 2004-08-18 03:11:25 +00:00