[postgis-tickets] [SCM] PostGIS branch stable-3.2 updated. 3.2.0-29-g4834a9f11
git at osgeo.org
git at osgeo.org
Fri Feb 11 00:44:48 PST 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".
The branch, stable-3.2 has been updated
via 4834a9f11fbfc3e58b4ab5300dc8298e668a9da1 (commit)
from 4443d6989cb93e63f9dd5c21735768afb8a20b1b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4834a9f11fbfc3e58b4ab5300dc8298e668a9da1
Author: Regina Obe <lr at pcorp.us>
Date: Fri Feb 11 03:44:04 2022 -0500
search_path vulnerability during install/upgrade.
References #5069 for PostGIS 3.2.1
diff --git a/NEWS b/NEWS
index 946b842f9..81b0045d2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,5 @@
PostGIS 3.2.1dev
-YYYY/MM/DD
+2022/02/DD
* Bug Fixes *
- #5033, #5035, allow upgrades in presence of views using deprecated
@@ -10,6 +10,8 @@ YYYY/MM/DD
- #5041, postgis_tiger_geocoder: loader_generate_script
generates script with invalid syntax (Regna Obe)
- #5076, stop install when pgaudit is active (Paul Ramsey)
+ - #5069, search_path vulnerabilty during install/upgrade
+ (Regina Obe)
PostGIS 3.2.0 (Olivier Courtin Edition)
diff --git a/extensions/postgis/unpackage_raster_if_needed.sql b/extensions/postgis/unpackage_raster_if_needed.sql
index 9d48244f1..bee2a83f9 100644
--- a/extensions/postgis/unpackage_raster_if_needed.sql
+++ b/extensions/postgis/unpackage_raster_if_needed.sql
@@ -1,10 +1,10 @@
DO $unpackage_if_needed$
BEGIN
IF EXISTS (
- select t.typname from pg_depend d, pg_extension e, pg_type t where
+ select t.typname from pg_catalog.pg_depend d, pg_catalog.pg_extension e, pg_catalog.pg_type t where
e.extname = 'postgis' and d.refclassid =
'pg_catalog.pg_extension'::pg_catalog.regclass and d.refobjid = e.oid
- and d.classid = 'pg_type'::regclass and d.objid = t.oid
+ and d.classid = 'pg_catalog.pg_type'::pg_catalog.regclass and d.objid = t.oid
and t.typname = 'raster'
) THEN
diff --git a/loader/postgis.pl b/loader/postgis.pl
index 5ef24574d..a6858d963 100644
--- a/loader/postgis.pl
+++ b/loader/postgis.pl
@@ -63,7 +63,7 @@ sub status
{
my $sql = "
SELECT n.nspname
- FROM pg_namespace n, pg_proc p
+ FROM pg_catalog.pg_namespace n, pg_catalog.pg_proc p
WHERE n.oid = p.pronamespace
AND p.proname = 'postgis_full_version'
";
diff --git a/postgis/postgis.sql.in b/postgis/postgis.sql.in
index 4ec82c396..c214abeb2 100644
--- a/postgis/postgis.sql.in
+++ b/postgis/postgis.sql.in
@@ -29,15 +29,15 @@ DO $$
DECLARE
pgver text;
BEGIN
- SELECT substring(version(), 'PostgreSQL ([0-9\.]+)') INTO pgver;
+ SELECT pg_catalog.substring(pg_catalog.version(), 'PostgreSQL ([0-9\.]+)') INTO pgver;
IF POSTGIS_PGSQL_VERSION::text != ( SELECT CASE
- WHEN split_part(s,'.',1)::integer > 9
- THEN split_part(s,'.',1) || '0'
+ WHEN pg_catalog.split_part(s,'.',1)::integer > 9
+ THEN pg_catalog.split_part(s,'.',1) || '0'
ELSE
- split_part(s,'.', 1) || split_part(s,'.', 2)
+ pg_catalog.split_part(s,'.', 1) || pg_catalog.split_part(s,'.', 2)
END
- FROM substring(version(), 'PostgreSQL ([0-9\.]+)') AS s )
+ FROM pg_catalog.substring(pg_catalog.version(), 'PostgreSQL ([0-9\.]+)') AS s )
THEN
RAISE EXCEPTION 'PostGIS built for PostgreSQL % cannot be loaded in PostgreSQL %',
POSTGIS_PGSQL_HR_VERSION, pgver;
@@ -52,7 +52,7 @@ DECLARE
rec RECORD;
BEGIN
FOR rec IN
- SELECT n.nspname, p.proname FROM pg_proc p, pg_namespace n
+ SELECT n.nspname, p.proname FROM pg_catalog.pg_proc p, pg_catalog.pg_namespace n
WHERE p.proname = 'postgis_version'
AND p.pronamespace = n.oid
LOOP
@@ -71,7 +71,7 @@ DECLARE
BEGIN
SHOW pgaudit.log INTO pgalog;
RAISE DEBUG 'pgaudit is installed, pgaudit.log is set to ''%''', pgalog;
- IF lower(pgalog) != 'none'
+ IF pg_catalog.lower(pgalog) != 'none'
THEN
RAISE EXCEPTION 'PostGIS installation stopped: pgaudit.log is set to ''%''. Set pgaudit.log to ''none'' before installing PostGIS. You may re-enable pgaudit after installation is complete.', pgalog;
END IF;
@@ -2942,8 +2942,8 @@ CREATE OR REPLACE FUNCTION _postgis_scripts_pgsql_version() RETURNS text
CREATE OR REPLACE FUNCTION _postgis_pgsql_version() RETURNS text
AS $$
- SELECT CASE WHEN split_part(s,'.',1)::integer > 9 THEN split_part(s,'.',1) || '0' ELSE split_part(s,'.', 1) || split_part(s,'.', 2) END AS v
- FROM substring(version(), 'PostgreSQL ([0-9\.]+)') AS s;
+ SELECT CASE WHEN pg_catalog.split_part(s,'.',1)::integer > 9 THEN pg_catalog.split_part(s,'.',1) || '0' ELSE pg_catalog.split_part(s,'.', 1) || pg_catalog.split_part(s,'.', 2) END AS v
+ FROM pg_catalog.substring(pg_catalog.version(), 'PostgreSQL ([0-9\.]+)') AS s;
$$ LANGUAGE 'sql' STABLE;
-- Availability: 2.5.0
@@ -3008,12 +3008,12 @@ BEGIN
LIMIT 1;
IF rec.name NOT IN('postgis_topology', 'postgis_tiger_geocoder')
THEN
- sql := format(
+ sql := pg_catalog.format(
'CREATE EXTENSION %1$I SCHEMA %2$I VERSION unpackaged;'
'ALTER EXTENSION %1$I UPDATE TO %3$I',
rec.name, var_schema, rec.default_version);
ELSE
- sql := format(
+ sql := pg_catalog.format(
'CREATE EXTENSION %1$I VERSION unpackaged;'
'ALTER EXTENSION %1$I UPDATE TO %2$I',
rec.name, rec.default_version);
@@ -3027,7 +3027,7 @@ BEGIN
ELSIF rec.default_version != rec.installed_version
THEN
sql = 'ALTER EXTENSION ' || rec.name || ' UPDATE TO ' ||
- quote_ident(rec.default_version) || ';';
+ pg_catalog.quote_ident(rec.default_version) || ';';
RAISE NOTICE 'Updating extension % from % to %',
rec.name, rec.installed_version, rec.default_version;
RAISE DEBUG '%', sql;
@@ -3039,11 +3039,11 @@ BEGIN
RAISE NOTICE 'Updating extension % %',
rec.name, rec.installed_version;
sql = 'ALTER EXTENSION ' || rec.name || ' UPDATE TO ' ||
- quote_ident(rec.default_version || 'next') || ';';
+ pg_catalog.quote_ident(rec.default_version || 'next') || ';';
RAISE DEBUG '%', sql;
EXECUTE sql;
sql = 'ALTER EXTENSION ' || rec.name || ' UPDATE TO ' ||
- quote_ident(rec.default_version) || ';';
+ pg_catalog.quote_ident(rec.default_version) || ';';
RAISE DEBUG '%', sql;
EXECUTE sql;
END IF;
diff --git a/postgis/postgis_before_upgrade.sql b/postgis/postgis_before_upgrade.sql
index d02bdc42e..11a599d8d 100644
--- a/postgis/postgis_before_upgrade.sql
+++ b/postgis/postgis_before_upgrade.sql
@@ -30,15 +30,15 @@
-- FROM pg_catalog.pg_proc p
-- LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
-- WHERE
--- LOWER(n.nspname) = LOWER('public') AND
--- LOWER(p.proname) = LOWER('ST_AsGeoJson')
+-- pg_catalog.LOWER(n.nspname) = pg_catalog.LOWER('public') AND
+-- pg_catalog.LOWER(p.proname) = pg_catalog.LOWER('ST_AsGeoJson')
-- ORDER BY 1, 2, 3, 4;
CREATE OR REPLACE FUNCTION _postgis_drop_function_if_needed(
- function_name text,
- function_arguments text) RETURNS void AS $$
+ function_name pg_catalog.text,
+ function_arguments pg_catalog.text) RETURNS void AS $$
DECLARE
- sql_drop text;
- postgis_namespace OID;
+ sql_drop pg_catalog.text;
+ postgis_namespace pg_catalog.OID;
matching_function REGPROCEDURE;
BEGIN
@@ -53,9 +53,9 @@ BEGIN
SELECT oid
FROM pg_catalog.pg_proc p
WHERE pronamespace = postgis_namespace
- AND LOWER(p.proname) = LOWER(function_name)
+ AND pg_catalog.LOWER(p.proname) = pg_catalog.LOWER(function_name)
AND pg_catalog.pg_function_is_visible(p.oid)
- AND LOWER(pg_catalog.pg_get_function_identity_arguments(p.oid)) ~ LOWER(function_arguments)
+ AND pg_catalog.LOWER(pg_catalog.pg_get_function_identity_arguments(p.oid)) ~ pg_catalog.LOWER(function_arguments)
INTO matching_function;
IF matching_function IS NOT NULL THEN
@@ -108,7 +108,7 @@ SELECT _postgis_drop_function_if_needed
DO language 'plpgsql' $$
BEGIN
-- fix geometry ops --
- IF EXISTS(SELECT oprname from pg_operator where oprname = '&&' AND oprrest::text = 'geometry_gist_sel_2d') THEN
+ IF EXISTS(SELECT oprname from pg_operator where oprname = '&&' AND oprrest::pg_catalog.text = 'geometry_gist_sel_2d') THEN
--it is bound to old name, drop new, rename old to new, install will fix body of code
DROP FUNCTION IF EXISTS gserialized_gist_sel_2d(internal, oid, internal, int4) ;
ALTER FUNCTION geometry_gist_sel_2d(internal, oid, internal, int4) RENAME TO gserialized_gist_sel_2d;
diff --git a/raster/rt_pg/rtpostgis.sql.in b/raster/rt_pg/rtpostgis.sql.in
index baac9d676..f0084873d 100644
--- a/raster/rt_pg/rtpostgis.sql.in
+++ b/raster/rt_pg/rtpostgis.sql.in
@@ -47,7 +47,7 @@ DECLARE
rec RECORD;
BEGIN
FOR rec IN
- SELECT n.nspname, p.proname FROM pg_proc p, pg_namespace n
+ SELECT n.nspname, p.proname FROM pg_catalog.pg_proc p, pg_catalog.pg_namespace n
WHERE p.proname = 'postgis_raster_lib_version'
AND p.pronamespace = n.oid
LOOP
@@ -63,11 +63,11 @@ DECLARE
nsp TEXT;
BEGIN
SELECT n.nspname
- INTO nsp FROM pg_proc p, pg_namespace n
+ INTO nsp FROM pg_catalog.pg_proc p, pg_catalog.pg_namespace n
WHERE p.proname = 'postgis_lib_version'
AND p.pronamespace = n.oid;
- IF nsp != current_schema() THEN
+ IF nsp != pg_catalog.current_schema() THEN
RAISE EXCEPTION
'PostGIS Raster must be in the same schema as PostGIS (%)',
nsp;
diff --git a/utils/create_undef.pl b/utils/create_undef.pl
index 4036801dc..a5f88fc1b 100755
--- a/utils/create_undef.pl
+++ b/utils/create_undef.pl
@@ -287,10 +287,10 @@ DECLARE
BEGIN
FOR rec IN
SELECT n.nspname, c.relname, a.attname, t.typname
- FROM pg_attribute a
- JOIN pg_class c ON a.attrelid = c.oid
- JOIN pg_namespace n ON c.relnamespace = n.oid
- JOIN pg_type t ON a.atttypid = t.oid
+ FROM pg_catalog.pg_attribute a
+ JOIN pg_catalog.pg_class c ON a.attrelid = c.oid
+ JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
+ JOIN pg_catalog.pg_type t ON a.atttypid = t.oid
WHERE t.typname = '$type'
AND NOT (
-- we exclude complexes defined as types
@@ -398,15 +398,15 @@ DECLARE
var_result text;
var_search_path text;
BEGIN
- SELECT reset_val INTO var_search_path FROM pg_settings WHERE name = 'search_path';
- IF var_search_path NOT LIKE '%' || quote_ident(a_schema_name) || '%' THEN
+ SELECT reset_val INTO var_search_path FROM pg_catalog.pg_settings WHERE name = 'search_path';
+ IF var_search_path NOT LIKE '%' || pg_catalog.quote_ident(a_schema_name) || '%' THEN
var_result := a_schema_name || ' not in database search_path';
ELSE
- var_search_path := btrim( regexp_replace(
- replace(var_search_path, a_schema_name, ''), ', *,', ','),
+ var_search_path := pg_catalog.btrim( pg_catalog.regexp_replace(
+ pg_catalog.replace(var_search_path, a_schema_name, ''), ', *,', ','),
', ');
RAISE NOTICE 'New search_path: %', var_search_path;
- EXECUTE 'ALTER DATABASE ' || quote_ident(current_database()) || ' SET search_path = ' || var_search_path;
+ EXECUTE 'ALTER DATABASE ' || pg_catalog.quote_ident(pg_catalog.current_database()) || ' SET search_path = ' || var_search_path;
var_result := a_schema_name || ' has been stripped off database search_path ';
END IF;
diff --git a/utils/postgis_proc_upgrade.pl b/utils/postgis_proc_upgrade.pl
index 5071c0f0e..6173af8e2 100755
--- a/utils/postgis_proc_upgrade.pl
+++ b/utils/postgis_proc_upgrade.pl
@@ -253,7 +253,7 @@ BEGIN
d.objid = replaced_proc::oid
LOOP
RAISE DEBUG 'Unpackaging ${renamed} from extension %', rec.extname;
- sql := format('ALTER EXTENSION %I DROP FUNCTION ${renamed}(${args})', rec.extname);
+ sql := pg_catalog.format('ALTER EXTENSION %I DROP FUNCTION ${renamed}(${args})', rec.extname);
EXECUTE sql;
END LOOP;
@@ -622,8 +622,8 @@ BEGIN
-- FOR rec IN
-- SELECT n.nspname AS schemaname,
-- c.relname AS viewname,
--- pg_get_userbyid(c.relowner) AS viewowner,
--- pg_get_viewdef(c.oid) AS definition,
+-- pg_catalog.pg_get_userbyid(c.relowner) AS viewowner,
+-- pg_catalog.pg_get_viewdef(c.oid) AS definition,
-- CASE
-- WHEN 'check_option=cascaded' = ANY (c.reloptions) THEN 'WITH CASCADED CHECK OPTION'
-- WHEN 'check_option=local' = ANY (c.reloptions) THEN 'WITH LOCAL CHECK OPTION'
@@ -632,12 +632,12 @@ BEGIN
-- FROM pg_class c
-- LEFT JOIN pg_namespace n ON n.oid = c.relnamespace
-- WHERE c.relkind = 'v'
--- AND pg_get_viewdef(c.oid) ~ 'deprecated_by_postgis'
+-- AND pg_catalog.pg_get_viewdef(c.oid) ~ 'deprecated_by_postgis'
-- LOOP
--- sql := format('CREATE OR REPLACE VIEW %I.%I AS %s %s',
+-- sql := pg_catalog.format('CREATE OR REPLACE VIEW %I.%I AS %s %s',
-- rec.schemaname,
-- rec.viewname,
--- regexp_replace(rec.definition, '_deprecated_by_postgis_[^(]*', '', 'g'),
+-- pg_catalog.regexp_replace(rec.definition, '_deprecated_by_postgis_[^(]*', '', 'g'),
-- rec.check_option
-- );
-- RAISE NOTICE 'Updating view % to not use deprecated signatures', rec.viewname;
@@ -647,17 +647,17 @@ BEGIN
-- WHEN OTHERS THEN
-- GET STACKED DIAGNOSTICS detail := PG_EXCEPTION_DETAIL;
-- RAISE WARNING 'Could not rewrite view % using deprecated functions', rec.viewname
--- USING DETAIL = format('%s: %s', SQLERRM, detail);
+-- USING DETAIL = pg_catalog.format('%s: %s', SQLERRM, detail);
-- END;
-- END LOOP;
-- Try to drop all deprecated functions, raising a warning
-- for each one which cannot be drop
- FOR rec IN SELECT unnest(deprecated_functions) as proc
+ FOR rec IN SELECT pg_catalog.unnest(deprecated_functions) as proc
LOOP --{
- sql := format('DROP FUNCTION %s', rec.proc);
+ sql := pg_catalog.format('DROP FUNCTION %s', rec.proc);
--RAISE DEBUG 'SQL: %', sql;
BEGIN
EXECUTE sql;
@@ -666,10 +666,10 @@ BEGIN
hint = 'Resolve the issue';
GET STACKED DIAGNOSTICS detail := PG_EXCEPTION_DETAIL;
IF detail LIKE '%view % depends%' THEN
- hint = format(
+ hint = pg_catalog.format(
'Replace the view changing all occurrences of %s in its definition with %s',
rec.proc,
- regexp_replace(rec.proc::text, '_deprecated_by_postgis[^(]*', '')
+ pg_catalog.regexp_replace(rec.proc::text, '_deprecated_by_postgis[^(]*', '')
);
END IF;
hint = hint || ' and upgrade again';
@@ -719,8 +719,8 @@ BEGIN
SELECT into old_scripts MODULE_scripts_installed();
END;
SELECT into new_scripts 'NEWVERSION';
- SELECT into old_maj substring(old_scripts from 1 for 1);
- SELECT into new_maj substring(new_scripts from 1 for 1);
+ SELECT into old_maj pg_catalog.substring(old_scripts,1, 1);
+ SELECT into new_maj pg_catalog.substring(new_scripts,1, 1);
-- 2.x to 3.x was upgrade-compatible, see
-- https://trac.osgeo.org/postgis/ticket/4170#comment:1
@@ -738,18 +738,18 @@ BEGIN
) SELECT
upgraded as scripts_upgraded,
installed as scripts_installed,
- substring(upgraded from '([0-9]+)\.')::int * 100 +
- substring(upgraded from '[0-9]+\.([0-9]+)(\.|$)')::int
+ pg_catalog.substring(upgraded, '([0-9]+)\.')::int * 100 +
+ pg_catalog.substring(upgraded, '[0-9]+\.([0-9]+)(\.|$)')::int
as version_to_num,
- substring(installed from '([0-9]+)\.')::int * 100 +
- substring(installed from '[0-9]+\.([0-9]+)(\.|$)')::int
+ pg_catalog.substring(installed, '([0-9]+)\.')::int * 100 +
+ pg_catalog.substring(installed, '[0-9]+\.([0-9]+)(\.|$)')::int
as version_from_num,
installed ~ 'dev|alpha|beta'
as version_from_isdev
FROM versions INTO postgis_upgrade_info
;
- postgis_upgrade_info_func_code := format($func_code$
+ postgis_upgrade_info_func_code := pg_catalog.format($func_code$
CREATE FUNCTION _postgis_upgrade_info(OUT scripts_upgraded TEXT,
OUT scripts_installed TEXT,
OUT version_to_num INT,
-----------------------------------------------------------------------
Summary of changes:
NEWS | 4 ++-
extensions/postgis/unpackage_raster_if_needed.sql | 4 +--
loader/postgis.pl | 2 +-
postgis/postgis.sql.in | 28 +++++++++---------
postgis/postgis_before_upgrade.sql | 18 ++++++------
raster/rt_pg/rtpostgis.sql.in | 6 ++--
utils/create_undef.pl | 18 ++++++------
utils/postgis_proc_upgrade.pl | 36 +++++++++++------------
8 files changed, 59 insertions(+), 57 deletions(-)
hooks/post-receive
--
PostGIS
More information about the postgis-tickets
mailing list