From c400717172d77e5b07e51e04c5e5e13da181572e Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Mon, 8 Aug 2016 10:07:46 -0400 Subject: Field conninfo strings throughout src/bin/scripts. These programs nominally accepted conninfo strings, but they would proceed to use the original dbname parameter as though it were an unadorned database name. This caused "reindexdb dbname=foo" to issue an SQL command that always failed, and other programs printed a conninfo string in error messages that purported to print a database name. Fix both problems by using PQdb() to retrieve actual database names. Continue to print the full conninfo string when reporting a connection failure. It is informative there, and if the database name is the sole problem, the server-side error message will include the name. Beyond those user-visible fixes, this allows a subsequent commit to synthesize and use conninfo strings without that implementation detail leaking into messages. As a side effect, the "vacuuming database" message now appears after, not before, the connection attempt. Back-patch to 9.1 (all supported versions). Reviewed by Michael Paquier and Peter Eisentraut. Security: CVE-2016-5424 --- src/bin/scripts/createlang.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/bin/scripts/createlang.c') diff --git a/src/bin/scripts/createlang.c b/src/bin/scripts/createlang.c index f4eb0797f00..b93eada476b 100644 --- a/src/bin/scripts/createlang.c +++ b/src/bin/scripts/createlang.c @@ -192,10 +192,10 @@ main(int argc, char *argv[]) result = executeQuery(conn, sql.data, progname, echo); if (PQntuples(result) > 0) { - PQfinish(conn); fprintf(stderr, _("%s: language \"%s\" is already installed in database \"%s\"\n"), - progname, langname, dbname); + progname, langname, PQdb(conn)); + PQfinish(conn); /* separate exit status for "already installed" */ exit(2); } -- cgit v1.2.3