There are numerous methods by which a Perl or Tcl function can subvert
the behavior of another such function executed later; for example, by
redefining standard functions or operators called by the target function.
If the target function is SECURITY DEFINER, or is called by such a
function, this means that any ordinary SQL user with Perl or Tcl language
usage rights can do essentially anything with the privileges of the target
function's owner.

To close this security hole, create a separate Perl or Tcl interpreter for
each SQL userid under which plperl or pltcl functions are executed within
a session.  However, all plperlu or pltclu functions run within a session
still share a single interpreter, since they all execute at the trust
level of a database superuser anyway.

Note: this change results in a functionality loss when libperl has been
built without the "multiplicity" option: it's no longer possible to call
plperl functions under different userids in one session, since such a
libperl can't support multiple interpreters in one process.  However, such
a libperl already failed to support concurrent use of plperl and plperlu,
so it's likely that few people use such versions with Postgres.

Security: CVE-2010-3433

Erik Rijkers

8.0.26, and 7.4.30.

from Tom.

rather than atol().

Per report from Brian Hirt

resource leak.  Of course, any such failure aborts pg_upgrade, but might
as well be clean about it.

Per patch from Grzegorz Ja?kiewicz.

Need a "return false" to prevent tests from continuing after we've moved
the "query" pointer.  As it stood, it'd accept "DROP DISCARD ALL" as a
match.

directory.

Per report from Harald Armin Massa.

Per report from Harald Armin Massa

The point of a PlaceHolderVar is to allow a non-strict expression to be
evaluated below an outer join, after which its value bubbles up like a Var
and can be forced to NULL when the outer join's semantics require that.
However, there was a serious design oversight in that, namely that we
didn't ensure that there was actually a correct place in the plan tree
to evaluate the placeholder :-(.  It may be necessary to delay evaluation
of an outer join to ensure that a placeholder that should be evaluated
below the join can be evaluated there.  Per recent bug report from Kirill
Simonov.

Back-patch to 8.4 where the PlaceHolderVar mechanism was introduced.

title, per suggestion from Ian Barwick.

We allowes DISCARD PLANS and TEMP in a transaction.

Backpatch to 8.3.

Reported by Sergey Burladyan.

Devrim GÜNDÜZ

The previous coding would decide that join removal was unsafe upon finding
a PlaceHolderVar that needed to be evaluated at the inner rel and then used
above the join.  However, this fails to cover the case of PlaceHolderVars
that refer to both the inner rel and some other rels.  Per bug report from
Andrus.

It now emerges that the JDBC driver expects to be able to use pg_get_expr()
on an output of a sub-SELECT.  So extend the check logic to be able to recurse
into a sub-SELECT to see if the argument is ultimately coming from an
appropriate column.  Per report from Thomas Kellerer.

Command synopses using <cmdsynopsis> with multiple variants previously used
<sbr> to break lines between variants.  The new man page toolchain introduced
in 9.0 makes a mess out of that, and that markup was probably wrong all along,
because <sbr> is supposed to break lines within a synopsis, not between them.
So fix that by using multiple <cmdsynopsis> elements inside <refsynopsisdiv>.

backpatched to 9.0

Fix overly-enthusiastic ignores, as identified by
git ls-files -i --exclude-standard

Kevin Grittner

This was broken in 9.0 by careless addition of an early-exit path.
Bug report and diagnosis by Jeff Davis.

hasn't been set.

The only known case where this can happen is when show_session_authorization
is invoked in an autovacuum process, which is possible if an index function
calls it, as for example in bug #5669 from Andrew Geery.  We could perhaps
try to return a sensible value, such as the name of the cluster-owning
superuser; but that seems like much more trouble than the case is worth,
and in any case it could create new possible failure modes.  Simply
returning an empty string seems like the most appropriate fix.

Back-patch to all supported versions, even those before autovacuum, just
in case there's another way to provoke this crash.

In some situations the original coding led to corrupting the child AppendRel's
subpaths list, effectively adding other members of the parent's list to it.
This was usually masked because we never made any further use of the child's
list, but given the right combination of circumstances, we could do so.  The
visible symptom would be a relation getting scanned twice, as in bug #5673
from David Schmitt.

Backpatch to 8.2, which is as far back as the risky coding appears.  The
example submitted by David only fails in 8.4 and later, but I'm not convinced
that there aren't any even-more-obscure cases where 8.2 and 8.3 would fail.

servers. AFAICT it's harmless at the moment because nothing can depend on
either, but as soon as we introduce an object type with such dependencies,
tableoid needs to be set or pg_dump will fail to interpret the dependencies
correctly. In theory, I guess the uninitialized garbage in tableoid could
cause the object to be mistaken for some other object with same OID as well.

This was unintentionally broken in 8.4 while tightening up checking of
ordinary non-Julian date inputs to forbid references to "year zero".
Per bug #5672 from Benjamin Gigot.

The previous patches failed to cover a lot of symlinks that are only
added in platform-specific cases.  Make the lists match what's in the
Makefile for each branch.

These are just cosmetic and don't seem worth back-patching far.
I put them into 9.0 just because it was trivial to do so.

Also do some further work in the back branches, where quite a bit wasn't
covered by Magnus' original back-patch.

Backpatch to 8.2 as that's how far the structure looks the same.

for git. Change other references from cvs to git as well.

In older branches, also git-ify the "make distdir" rule.