yazun
diff --git a/‎contrib/oid2name/oid2name.c
Lines changed: 13 additions & 0 deletions b/‎contrib/oid2name/oid2name.c
Lines changed: 13 additions & 0 deletions
diff --git a/‎contrib/vacuumlo/vacuumlo.c
Lines changed: 3 additions & 5 deletions b/‎contrib/vacuumlo/vacuumlo.c
Lines changed: 3 additions & 5 deletions
diff --git a/‎src/backend/postmaster/autovacuum.c
Lines changed: 14 additions & 0 deletions b/‎src/backend/postmaster/autovacuum.c
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/bin/pg_basebackup/streamutil.c
Lines changed: 18 additions & 0 deletions b/‎src/bin/pg_basebackup/streamutil.c
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/bin/pg_dump/dumputils.c
Lines changed: 10 additions & 6 deletions b/‎src/bin/pg_dump/dumputils.c
Lines changed: 10 additions & 6 deletions
diff --git a/‎src/bin/pg_dump/pg_backup_db.c
Lines changed: 11 additions & 0 deletions b/‎src/bin/pg_dump/pg_backup_db.c
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/bin/pg_dump/pg_dump.c
Lines changed: 15 additions & 2 deletions b/‎src/bin/pg_dump/pg_dump.c
Lines changed: 15 additions & 2 deletions
diff --git a/‎src/bin/pg_dump/pg_dumpall.c
Lines changed: 2 additions & 5 deletions b/‎src/bin/pg_dump/pg_dumpall.c
Lines changed: 2 additions & 5 deletions
diff --git a/‎src/bin/pg_rewind/libpq 10000 _fetch.c
Lines changed: 7 additions & 0 deletions b/‎src/bin/pg_rewind/libpq 10000 _fetch.c
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/bin/pg_upgrade/server.c
Lines changed: 3 additions & 0 deletions b/‎src/bin/pg_upgrade/server.c
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/bin/scripts/Makefile
Lines changed: 12 additions & 11 deletions b/‎src/bin/scripts/Makefile
Lines changed: 12 additions & 11 deletions
diff --git a/‎src/bin/scripts/clusterdb.c
Lines changed: 8 additions & 4 deletions b/‎src/bin/scripts/clusterdb.c
Lines changed: 8 additions & 4 deletions
@@ -9,6 +9,7 @@
  */
 #include "postgres_fe.h"
 
+#include "fe_utils/connect.h"
 #include "libpq-fe.h"
 #include "pg_getopt.h"
 
@@ -263,6 +264,7 @@ sql_conn(struct options * my_opts)
 	PGconn	   *conn;
 	char	   *password = NULL;
 	bool		new_pass;
+	PGresult   *res;
 
 	/*
 	 * Start the connection.  Loop until we have a password if requested by
@@ -322,6 +324,17 @@ sql_conn(struct options * my_opts)
 		exit(1);
 	}
 
+	res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		fprintf(stderr, "oid2name: could not clear search_path: %s\n",
+				PQerrorMessage(conn));
+		PQclear(res);
+		PQfinish(conn);
+		exit(-1);
+	}
+	PQclear(res);
+
 	/* return the conn if good */
 	return conn;
 }
 
@@ -21,6 +21,7 @@
 #include <termios.h>
 #endif
 
+#include "fe_utils/connect.h"
 #include "libpq-fe.h"
 #include "pg_getopt.h"
 
@@ -135,11 +136,8 @@ vacuumlo(const char *database, const struct _param * param)
 			fprintf(stdout, "Test run: no large objects will be removed!\n");
 	}
 
-	/*
-	 * Don't get fooled by any non-system catalogs
-	 */
-	res = PQexec(conn, "SET search_path = pg_catalog");
-	if (PQresultStatus(res) != PGRES_COMMAND_OK)
+	res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
 	{
 		fprintf(stderr, "Failed to set search_path:\n");
 		fprintf(stderr, "%s", PQerrorMessage(conn));
 
@@ -530,6 +530,12 @@ AutoVacLauncherMain(int argc, char *argv[])
 	/* must unblock signals before calling rebuild_database_list */
 	PG_SETMASK(&UnBlockSig);
 
+	/*
+	 * Set always-secure search path.  Launcher doesn't connect to a database,
+	 * so this has no effect.
+	 */
+	SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
 	/*
 	 * Force zero_damaged_pages OFF in the autovac process, even if it is set
 	 * in postgresql.conf.  We don't really want such a dangerous option being
@@ -1543,6 +1549,14 @@ AutoVacWorkerMain(int argc, char *argv[])
 
 	PG_SETMASK(&UnBlockSig);
 
+	/*
+	 * Set always-secure search path, so malicious users can't redirect user
+	 * code (e.g. pg_index.indexprs).  (That code runs in a
+	 * SECURITY_RESTRICTED_OPERATION sandbox, so malicious users could not
+	 * take control of the entire autovacuum worker in any case.)
+	 */
+	SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
 	/*
 	 * Force zero_damaged_pages OFF in the autovac process, even if it is set
 	 * in postgresql.conf.  We don't really want such a dangerous option being
 
@@ -30,6 +30,7 @@
 #include "pqexpbuffer.h"
 #include "common/fe_memutils.h"
 #include "datatype/timestamp.h"
+#include "fe_utils/connect.h"
 
 #define ERRCODE_DUPLICATE_OBJECT  "42710"
 
@@ -208,6 +209,23 @@ GetConnection(void)
 	if (conn_opts)
 		PQconninfoFree(conn_opts);
 
+	/* Set always-secure search path, so malicious users can't get control. */
+	if (dbname != NULL)
+	{
+		PGresult   *res;
+
+		res = PQexec(tmpconn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+		if (PQresultStatus(res) != PGRES_TUPLES_OK)
+		{
+			fprintf(stderr, _("%s: could not clear search_path: %s\n"),
+					progname, PQerrorMessage(tmpconn));
+			PQclear(res);
+			PQfinish(tmpconn);
+			exit(1);
+		}
+		PQclear(res);
+	}
+
 	/*
 	 * Ensure we have the same value of integer timestamps as the server we
 	 * are connecting to.
 
@@ -1376,8 +1376,9 @@ processSQLNamePattern(PGconn *conn, PQExpBuffer buf, const char *pattern,
 	}
 
 	/*
-	 * Now decide what we need to emit.  Note there will be a leading "^(" in
-	 * the patterns in any case.
+	 * Now decide what we need to emit.  We may run under a hostile
+	 * search_path, so qualify EVERY name.  Note there will be a leading "^("
+	 * in the patterns in any case.
 	 */
 	if (namebuf.len > 2)
 	{
@@ -1390,15 +1391,18 @@ processSQLNamePattern(PGconn *conn, PQExpBuffer buf, const char *pattern,
 			WHEREAND();
 			if (altnamevar)
 			{
-				appendPQExpBuffer(buf, "(%s ~ ", namevar);
+				appendPQExpBuffer(buf,
+								  "(%s OPERATOR(pg_catalog.~) ", namevar);
 				appendStringLiteralConn(buf, namebuf.data, conn);
-				appendPQExpBuffer(buf, "\n        OR %s ~ ", altnamevar);
+				appendPQExpBuffer(buf,
+								  "\n        OR %s OPERATOR(pg_catalog.~) ",
+								  altnamevar);
 				appendStringLiteralConn(buf, namebuf.data, conn);
 				appendPQExpBufferStr(buf, ")\n");
 			}
 			else
 			{
-				appendPQExpBuffer(buf, "%s ~ ", namevar);
+				appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", namevar);
 				appendStringLiteralConn(buf, namebuf.data, conn);
 				appendPQExpBufferChar(buf, '\n');
 			}
@@ -1414,7 +1418,7 @@ processSQLNamePattern(PGconn *conn, PQExpBuffer buf, const char *pattern,
 		if (strcmp(schemabuf.data, "^(.*)$") != 0 && schemavar)
 		{
 			WHEREAND();
-			appendPQExpBuffer(buf, "%s ~ ", schemavar);
+			appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", schemavar);
 			appendStringLiteralConn(buf, schemabuf.data, conn);
 			appendPQExpBufferChar(buf, '\n');
 		}
 
@@ -12,6 +12,7 @@
 #include "postgres_fe.h"
 
 #include "dumputils.h"
+#include "fe_utils/connect.h"
 #include "parallel.h"
 #include "pg_backup_archiver.h"
 #include "pg_backup_db.h"
@@ -113,6 +114,11 @@ ReconnectToServer(ArchiveHandle *AH, const char *dbname, const char *username)
 	PQfinish(AH->connection);
 	AH->connection = newConn;
 
+	/* Start strict; later phases may override this. */
+	if (PQserverVersion(AH->connection) >= 70300)
+		PQclear(ExecuteSqlQueryForSingleRow((Archive *) AH,
+											ALWAYS_SECURE_SEARCH_PATH_SQL));
+
 	return 1;
 }
 
@@ -321,6 +327,11 @@ ConnectDatabase(Archive *AHX,
 					  PQdb(AH->connection) ? PQdb(AH->connection) : "",
 					  PQerrorMessage(AH->connection));
 
+	/* Start strict; later phases may override this. */
+	if (PQserverVersion(AH->connection) >= 70300)
+		PQclear(ExecuteSqlQueryForSingleRow((Archive *) AH,
+											ALWAYS_SECURE_SEARCH_PATH_SQL));
+
 	/*
 	 * We want to remember connection's actual password, whether or not we got
 	 * it by prompting.  So we don't just store the password variable.
 
@@ -60,6 +60,7 @@
 #include "pg_backup_db.h"
 #include "pg_backup_utils.h"
 #include "pg_dump.h"
+#include "fe_utils/connect.h"
 
 
 typedef struct
@@ -965,6 +966,9 @@ setup_connection(Archive *AH, const char *dumpencoding,
 	PGconn	   *conn = GetConnection(AH);
 	const char *std_strings;
 
+	if (AH->remoteVersion >= 70300)
+		PQclear(ExecuteSqlQueryForSingleRow(AH, ALWAYS_SECURE_SEARCH_PATH_SQL));
+
 	/*
 	 * Set the client encoding if requested.
 	 */
@@ -1257,21 +1261,30 @@ expand_table_name_patterns(Archive *fout,
 
 	for (cell = patterns->head; cell; cell = cell->next)
 	{
+		/*
+		 * Query must remain ABSOLUTELY devoid of unqualified names.  This
+		 * would be unnecessary given a pg_table_is_visible() variant taking a
+		 * search_path argument.
+		 */
 		if (cell != patterns->head)
 			appendPQExpBufferStr(query, "UNION ALL\n");
 		appendPQExpBuffer(query,
 						  "SELECT c.oid"
 						  "\nFROM pg_catalog.pg_class c"
-		"\n     LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace"
-					 "\nWHERE c.relkind in ('%c', '%c', '%c', '%c', '%c')\n",
+						  "\n     LEFT JOIN pg_catalog.pg_namespace n"
+						  "\n     ON n.oid OPERATOR(pg_catalog.=) c.relnamespace"
+						  "\nWHERE c.relkind OPERATOR(pg_catalog.=) ANY"
+						  "\n    (array['%c', '%c', '%c', '%c', '%c'])\n",
 						  RELKIND_RELATION, RELKIND_SEQUENCE, RELKIND_VIEW,
 						  RELKIND_MATVIEW, RELKIND_FOREIGN_TABLE);
 							  false, "n.nspname", "c.relname", NULL,
 							  "pg_catalog.pg_table_is_visible(c.oid)");
 	}
 
+	ExecuteSqlStatement(fout, "RESET search_path");
 	res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK);
+	PQclear(ExecuteSqlQueryForSingleRow(fout, ALWAYS_SECURE_SEARCH_PATH_SQL));
 
 	for (i = 0; i < PQntuples(res); i++)
 	{
 
@@ -26,6 +26,7 @@
 
 #include "dumputils.h"
 #include "pg_backup.h"
+#include "fe_utils/connect.h"
 
 /* version string we expect back from pg_dump */
 #define PGDUMP_VERSIONSTR "pg_dump (PostgreSQL) " PG_VERSION "\n"
@@ -1983,12 +1984,8 @@ connectDatabase(const char *dbname, const char *connection_string,
 		exit_nicely(1);
 	}
 
-	/*
-	 * On 7.3 and later, make sure we are not fooled by non-system schemas in
-	 * the search path.
-	 */
 	if (server_version >= 70300)
-		executeCommand(conn, "SET search_path = pg_catalog");
+		PQclear(executeQuery(conn, ALWAYS_SECURE_SEARCH_PATH_SQL));
 
 	return conn;
 }
 
@@ -29,6 +29,7 @@
 #include "libpq-fe.h"
 #include "catalog/catalog.h"
 #include "catalog/pg_type.h"
+#include "fe_utils/connect.h"
 
 static PGconn *conn = NULL;
 
@@ -58,6 +59,12 @@ libpqConnect(const char *connstr)
 
 	pg_log(PG_PROGRESS, "connected to server\n");
 
+	res = PQexec(conn, ALWAYS_SECURE_SEARCH_PATH_SQL);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+		pg_fatal("could not clear search_path: %s",
+				 PQresultErrorMessage(res));
+	PQclear(res);
+
 	/*
 	 * Check that the server is not in hot standby mode. There is no
 	 * fundamental reason that couldn't be made to work, but it doesn't
 
@@ -9,6 +9,7 @@
 
 #include "postgres_fe.h"
 
+#include "fe_utils/connect.h"
 #include "pg_upgrade.h"
 
 
@@ -39,6 +40,8 @@ connectToServer(ClusterInfo *cluster, const char *db_name)
 		exit(1);
 	}
 
+	PQclear(executeQueryOrDie(conn, ALWAYS_SECURE_SEARCH_PATH_SQL));
+
 	return conn;
 }
 
 
@@ -25,16 +25,17 @@ all: $(PROGRAMS)
 %: %.o $(WIN32RES)
 	$(CC) $(CFLAGS) $^ $(libpq_pgport) $(LDFLAGS) $(LDFLAGS_EX) $(LIBS) -o $@$(X)
 
-createdb: createdb.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-createlang: createlang.o common.o print.o mbprint.o | submake-libpq submake-libpgport
-createuser: createuser.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-dropdb: dropdb.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-droplang: droplang.o common.o print.o mbprint.o | submake-libpq submake-libpgport
-dropuser: dropuser.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-clusterdb: clusterdb.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-vacuumdb: vacuumdb.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-reindexdb: reindexdb.o common.o dumputils.o kwlookup.o keywords.o | submake-libpq submake-libpgport
-pg_isready: pg_isready.o common.o | submake-libpq submake-libpgport
+SCRIPTS_COMMON = common.o dumputils.o kwlookup.o keywords.o
+createdb: createdb.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+createlang: createlang.o $(SCRIPTS_COMMON) print.o mbprint.o | submake-libpq submake-libpgport
+createuser: createuser.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+dropdb: dropdb.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+droplang: droplang.o $(SCRIPTS_COMMON) print.o mbprint.o | submake-libpq submake-libpgport
+dropuser: dropuser.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+clusterdb: clusterdb.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+vacuumdb: vacuumdb.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+reindexdb: reindexdb.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
+pg_isready: pg_isready.o $(SCRIPTS_COMMON) | submake-libpq submake-libpgport
 
 dumputils.c keywords.c: % : $(top_srcdir)/src/bin/pg_dump/%
 	rm -f $@ && $(LN_S) $< .
@@ -65,7 +66,7 @@ uninstall:
 
 clean distclean maintainer-clean:
 	rm -f $(addsuffix $(X), $(PROGRAMS)) $(addsuffix .o, $(PROGRAMS))
-	rm -f common.o dumputils.o kwlookup.o keywords.o print.o mbprint.o $(WIN32RES)
+	rm -f $(SCRIPTS_COMMON) print.o mbprint.o $(WIN32RES)
 	rm -f dumputils.c print.c mbprint.c kwlookup.c keywords.c
 	rm -rf tmp_check
 
 
@@ -194,17 +194,21 @@ cluster_one_database(const char *dbname, bool verbose, const char *table,
 
 	PGconn	   *conn;
 
+	conn = connectDatabase(dbname, host, port, username, prompt_password,
+						   progname, echo, false, false);
+
 	initPQExpBuffer(&sql);
 
 	appendPQExpBufferStr(&sql, "CLUSTER");
 	if (verbose)
 		appendPQExpBufferStr(&sql, " VERBOSE");
 	if (table)
-		appendPQExpBuffer(&sql, " %s", table);
+	{
+		appendPQExpBufferChar(&sql, ' ');
+		appendQualifiedRelation(&sql, table, conn, progname, echo);
+	}
 	appendPQExpBufferChar(&sql, ';');
 
-	conn = connectDatabase(dbname, host, port, username, prompt_password,
-						   progname, false, false);
 	if (!executeMaintenanceCommand(conn, sql.data, echo))
 	{
 		if (table)
@@ -233,7 +237,7 @@ cluster_all_databases(bool verbose, const char *maintenance_db,
 	int			i;
 
 	conn = connectMaintenanceDatabase(maintenance_db, host, port, username,
-									  prompt_password, progname);
+									  prompt_password, progname, echo);
 	result = executeQuery(conn, "SELECT datname FROM pg_database WHERE datallowconn ORDER BY 1;", progname, echo);
 	PQfinish(conn);
Original file line number	Diff line number	Diff line change
`@@ -1376,8 +1376,9 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1376`	`1376`	`}`
`1377`	`1377`
`1378`	`1378`	`/*`
`1379`		`- * Now decide what we need to emit. Note there will be a leading "^(" in`
`1380`		`- * the patterns in any case.`
	`1379`	`+ * Now decide what we need to emit. We may run under a hostile`
	`1380`	`+ * search_path, so qualify EVERY name. Note there will be a leading "^("`
	`1381`	`+ * in the patterns in any case.`
`1381`	`1382`	`*/`
`1382`	`1383`	`if (namebuf.len > 2)`
`1383`	`1384`	`{`
`@@ -1390,15 +1391,18 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1390`	`1391`	`WHEREAND();`
`1391`	`1392`	`if (altnamevar)`
`1392`	`1393`	`{`
`1393`		`- appendPQExpBuffer(buf, "(%s ~ ", namevar);`
	`1394`	`+ appendPQExpBuffer(buf,`
	`1395`	`+ "(%s OPERATOR(pg_catalog.~) ", namevar);`
`1394`	`1396`	`appendStringLiteralConn(buf, namebuf.data, conn);`
`1395`		`- appendPQExpBuffer(buf, "\n OR %s ~ ", altnamevar);`
	`1397`	`+ appendPQExpBuffer(buf,`
	`1398`	`+ "\n OR %s OPERATOR(pg_catalog.~) ",`
	`1399`	`+ altnamevar);`
`1396`	`1400`	`appendStringLiteralConn(buf, namebuf.data, conn);`
`1397`	`1401`	`appendPQExpBufferStr(buf, ")\n");`
`1398`	`1402`	`}`
`1399`	`1403`	`else`
`1400`	`1404`	`{`
`1401`		`- appendPQExpBuffer(buf, "%s ~ ", namevar);`
	`1405`	`+ appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", namevar);`
`1402`	`1406`	`appendStringLiteralConn(buf, namebuf.data, conn);`
`1403`	`1407`	`appendPQExpBufferChar(buf, '\n');`
`1404`	`1408`	`}`
`@@ -1414,7 +1418,7 @@ processSQLNamePattern(PGconn conn, PQExpBuffer buf, const char pattern,`
`1414`	`1418`	`if (strcmp(schemabuf.data, "^(.*)$") != 0 && schemavar)`
`1415`	`1419`	`{`
`1416`	`1420`	`WHEREAND();`
`1417`		`- appendPQExpBuffer(buf, "%s ~ ", schemavar);`
	`1421`	`+ appendPQExpBuffer(buf, "%s OPERATOR(pg_catalog.~) ", schemavar);`
`1418`	`1422`	`appendStringLiteralConn(buf, schemabuf.data, conn);`
`1419`	`1423`	`appendPQExpBufferChar(buf, '\n');`
`1420`	`1424`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`#include "postgres_fe.h"`
`11`	`11`
	`12`	`+#include "fe_utils/connect.h"`
`12`	`13`	`#include "pg_upgrade.h"`
`13`	`14`
`14`	`15`
`@@ -39,6 +40,8 @@ connectToServer(ClusterInfo cluster, const char db_name)`
`39`	`40`	`exit(1);`
`40`	`41`	`}`
`41`	`42`
	`43`	`+ PQclear(executeQueryOrDie(conn, ALWAYS_SECURE_SEARCH_PATH_SQL));`
	`44`	`+`
`42`	`45`	`return conn;`
`43`	`46`	`}`
`44`	`47`