This is the main PostgreSQL git repository. http://git.postgresql.org/cgit/postgresql.git/atom?h=master 2026-05-13T14:37:42+00:00 2026-05-13T14:37:42+00:00 Tom Lane 2026-05-13T14:37:42+00:00 urn:sha1:736a97bddd16f0511dc62b7e4770376a34f10114 It's as opinionated as ever. 2026-05-13T14:34:17+00:00 Tom Lane 2026-05-13T14:34:17+00:00 urn:sha1:020794ee42a3413b416898e7931a8a3a5b43e9ab Update typedefs.list from the buildfarm, and run pgindent. The changes from the new typedefs list are pretty minimal, since we'd been pretty good (not perfect) about updating typedefs.list by hand. But the pgindent behavior changes installed by a3e6beba6, b518ba4af, and 60f9467c3 add up to make this a relatively sizable diff. 2026-05-11T12:13:47+00:00 Nathan Bossart 2026-05-11T12:13:47+00:00 urn:sha1:bd48114937c8af9cb86972e2b576924a761359cf When result_is_int is set to 0, PQfn() cannot validate that the result fits in result_buf, so it will write data beyond the end of the buffer when the server returns more data than requested. Since this function is insecurable and obsolete, add a warning to the top of the pertinent documentation advising against its use. The only in-tree caller of PQfn() is the frontend large object interface. To fix that, add a buf_size parameter to pqFunctionCall3() that is used to protect against overruns, and use it in a private version of PQfn() that also accepts a buf_size parameter. Reported-by: Yu Kunpeng <yu443940816@live.com> Reported-by: Martin Heistermann <martin.heistermann@unibe.ch> Author: Nathan Bossart <nathandbossart@gmail.com> Reviewed-by: Noah Misch <noah@leadboat.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Etsuro Fujita <etsuro.fujita@gmail.com> Security: CVE-2026-6477 Backpatch-through: 14 2026-05-11T12:13:46+00:00 Michael Paquier 2026-05-11T12:13:46+00:00 urn:sha1:5924e256c499c010dd369984498c8d5a4ee17894 This commit applies timingsafe_bcmp() to authentication paths that handle attributes or data previously compared with memcpy() or strcmp(), which are sensitive to timing attacks. The following data is concerned by this change, some being in the backend and some in the frontend: - For a SCRAM or MD5 password, the computed key or the MD5 hash compared with a password during a plain authentication. - For a SCRAM exchange, the stored key, the client's final nonce and the server nonce. - RADIUS (up to v18), the encrypted password. - For MD5 authentication, the MD5(MD5()) hash. Reported-by: Joe Conway <mail@joeconway.com> Security: CVE-2026-6478 Author: Michael Paquier <michael@paquier.xyz> Reviewed-by: John Naylor <johncnaylorls@gmail.com> Backpatch-through: 14 2026-05-05T08:39:13+00:00 Peter Eisentraut 2026-05-05T07:59:49+00:00 urn:sha1:22f9207aaa37fe418055f7a1ad6e681c021f70b0 2026-05-01T19:12:28+00:00 Andrew Dunstan 2026-05-01T19:12:28+00:00 urn:sha1:c34a280c85b39b6e875afa56542a055d2b90b640 ECPGdeallocate_all(), ECPGprepared_statement(), ECPGget_desc(), and ecpg_freeStmtCacheEntry() could crash with a SIGSEGV when called without an established connection (for example, when EXEC SQL CONNECT was forgotten or a non-existent connection name was used), because they dereferenced the result of ecpg_get_connection() without first checking it for NULL. Each site is fixed in the style of the surrounding code. New tests are added for these conditions. Author: Shruthi Gowda <gowdashru@gmail.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Fujii Masao <masao.fujii@gmail.com> Reviewed-by: Mahendra Singh Thalor <mahi6run@gmail.com> Reviewed-by: Nishant Sharma <nishant.sharma@enterprisedb.com> Discussion: https://postgr.es/m/3007317.1765210195@sss.pgh.pa.us Backpatch-through: 14 2026-04-21T05:46:22+00:00 Michael Paquier 2026-04-21T05:46:22+00:00 urn:sha1:d3bba041543593eb5341683107d899734dc8e73e This batch is similar to 462fe0ff6215 and addresses a variety of code style issues, including grammar mistakes, typos, inconsistent variable names in function declarations, and incorrect function names in comments and documentation. These fixes have accumulated on the community mailing lists since the commit mentioned above. Notably, Alexander Lakhin previously submitted a patch identifying many of the trivial typos and grammar issues that had been reported on pgsql-hackers. His patch covered a somewhat large portion of the issues addressed here, though not all of them. The documentation changes only affect HEAD. 2026-04-15T11:30:34+00:00 Andrew Dunstan 2026-04-14T20:13:08+00:00 urn:sha1:3e2a1496bae628c379ca0a11ef5f5ba666f24ae8 Commit 095c9d4cf06 added errdetail() reporting of the PID and UID of the process that sent a termination signal. However, as noted by Andres Freund, the implementation had architectural problems: 1. wrapper_handler() in pqsignal.c contained SIGTERM-specific logic (setting ProcDieSenderPid/Uid), violating its role as a generic signal dispatch wrapper. 2. Using globals to pass sender info between wrapper_handler and the real handler is unsafe when signals nest on some platforms. 3. The syncrep.c errdetail used psprintf() to conditionally embed text via %s, breaking translatability. Adopt the approach proposed by Andres Freund: introduce a pg_signal_info struct that is passed as an argument to all signal handlers via the SIGNAL_ARGS macro. wrapper_handler populates it from siginfo_t when SA_SIGINFO is available, or with zeros otherwise. This keeps wrapper_handler fully generic and avoids any globals for passing signal metadata. Since pqsigfunc now has a different signature from the system's signal handler type, SIG_IGN and SIG_DFL can no longer be passed directly to pqsignal(). Introduce PG_SIG_IGN and PG_SIG_DFL macros that cast to the new pqsigfunc type, and update all call sites. The legacy pqsignal() in libpq retains its original signature via a local typedef. Only die() reads pg_siginfo today, copying the sender PID/UID into ProcDieSenderPid/Uid for later use by ProcessInterrupts(). Only the first SIGTERM's sender info is recorded. Also fix the syncrep.c translatability issue by using separate ereport calls with complete, independently translatable errdetail strings. Also make the psql TAP test require the DETAIL line on platforms with SA_SIGINFO, rather than making it unconditionally optional. On Windows, pg_signal_info uses uint32_t for pid and uid fields since pid_t/uid_t are not available early enough in the include chain. The Windows signal dispatch in pgwin32_dispatch_queued_signals() passes a zeroed pg_signal_info to handlers. Author: Andres Freund <andres@anarazel.de> Author: Jakub Wartak <jakub.wartak@enterprisedb.com> Reviewed-by: Andrew Dunstan <andrew@dunslane.net> Reviewed-by: Chao Li <li.evan.chao@gmail.com> Discussion: https://postgr.es/m/cwyyryh2veejuxbj5ifzyaejw7jhhqc5mrdeq56xckknsdecn2@6hzfcxde2nm5 Discussion: https://postgr.es/m/jygesyr7mwg7ovdbxpmjvvbi3hccptpkcreqb645h7f56puwbz@hmkkwi3melfe 2026-04-07T15:15:14+00:00 Jacob Champion 2026-04-07T15:15:14+00:00 urn:sha1:6d00fb9048fe61381c9f4d542cfd2bc767d95a3b PGOAUTHDEBUG is a blunt instrument: you get all the debugging features, or none of them. The most annoying consequence during manual use is the Curl debug trace, which tends to obscure the device flow prompt entirely. The promotion of PGOAUTHCAFILE into its own feature in 993368113 improved the situation somewhat, but there's still the discomfort of knowing you have to opt into many dangerous behaviors just to get the single debug feature you wanted. Explode the PGOAUTHDEBUG syntax into a comma-separated list. The old "UNSAFE" value enables everything, like before. Any individual unsafe features still require the envvar to begin with an "UNSAFE:" prefix, to try to interrupt the flow of someone who is about to do something they should not. So now, rather than PGOAUTHDEBUG=UNSAFE # enable all the unsafe things a developer can say PGOAUTHDEBUG=call-count # only show me the call count. safe! PGOAUTHDEBUG=UNSAFE:trace # print secrets, but don't allow HTTP To avoid adding more build system scaffolding to libpq-oauth, implement this entirely in a small private header. This unfortunately can't be standalone, so it needs a headerscheck exception. Author: Zsolt Parragi <zsolt.parragi@percona.com> Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com> Reviewed-by: Chao Li <li.evan.chao@gmail.com> Reviewed-by: Zsolt Parragi <zsolt.parragi@percona.com> Discussion: https://postgr.es/m/CAOYmi%2B%3DfbZNJSkHVci%3DGpR8XPYObK%3DH%2B2ERRha0LDTS%2BifsWnw%40mail.gmail.com Discussion: https://postgr.es/m/CAN4CZFMmDZMH56O9vb_g7vHqAk8ryWFxBMV19C39PFghENg8kA%40mail.gmail.com 2026-03-31T18:47:26+00:00 Jacob Champion 2026-03-31T18:47:26+00:00 urn:sha1:09532b4040ed4c313351366166f55e810f152d6a For PG19, since we won't have the ability to officially switch out flow plugins, relax the flow-loading code to not require the internal init function. Modules that don't have one will be treated as custom user flows in error messages. This will let bleeding-edge developers more easily test out the API and provide feedback for PG20, by telling the runtime linker to find a different libpq-oauth. It remains undocumented for end users. Reviewed-by: Zsolt Parragi <zsolt.parragi@percona.com> Reviewed-by: Chao Li <li.evan.chao@gmail.com> Discussion: https://postgr.es/m/CAOYmi%2BmrGg%2Bn_X2MOLgeWcj3v_M00gR8uz_D7mM8z%3DdX1JYVbg%40mail.gmail.com