| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
| Cc: | pgadmin-hackers(at)postgresql(dot)org |
| Subject: | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |
| Date: | 2018-02-04 20:05:02 |
| Message-ID: | 4A076831-1759-4F38-B8FA-38C5C2AE742A@pgadmin.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Hi
> On 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
The user is already logged in, and could run the query tool anyway to do anything their privileges allow.
Do you see an escalation vector that I’m missing?
I re-added the hackers list for any other opinions.
>
>
> --
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
>
> http://www.linkedin.com/in/asheshvashi
>
>> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>> Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027
>>
>> Branch
>> ------
>> master
>>
>> Details
>> -------
>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>
>> Modified Files
>> --------------
>> .../databases/schemas/templates/macros/functions/variable.macros | 2 +-
>> .../browser/server_groups/servers/templates/macros/variable.macros | 4 ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashesh Vashi | 2018-02-05 02:26:51 | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |
| Previous Message | Joao De Almeida Pereira | 2018-02-02 22:50:30 | [pgadmin][patch] [GreenPlum] When user press Explain Plan and Explain analyze plan an error is displayed |