Re: Patch for RM1911 Direct file navigation [pgAdmin4] [Feature]

Hi

On Sat, Jan 14, 2017 at 2:27 PM, Harshal Dhumal
<harshal(dot)dhumal(at)enterprisedb(dot)com> wrote:
> Hi,
>
> Pls updated patch for RM1911.
>
> 1. This includes fix for issue index out of range when user enters path of
> folder without trailing slash (showed by Dave).
> 2. To make this functionality compatible with save last used directory
> feature.

- The first test I ran gave the error seen in the attachment (running
in server mode, clicking the Browse button on the backup dialogue).

- I also noticed in reviewing the changes again, that you've got code
in sqleditor/__init__.py to stop the user moving outside of the
storage sandbox in server mode. That code should be part of the file
manager - none of the modules using it should be doing that kind of
check.

- If I do try to navigate outside of the sandbox, I get a nice error:
"Error: Access Denied (/Users/dpage/.pgadmin)" for example, if I enter
/../../. Whilst it's good to be informative, it's also a security
leak. It should only tell me the path that the user sees, not the path
as it actually is on the server - e.g. "Error: Access Denied
(/../../../)"

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company