Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

On Mon, Feb 5, 2018 at 1:35 AM, Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Hi
>
> On 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
> wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
>
>
> The user is already logged in, and could run the query tool anyway to do
> anything their privileges allow.
>
That's always there.

>
> Do you see an escalation vector that I’m missing?
>
I think - user can add any value (with space) for the variable of text type.

So - we need a mechanism to transform the value in a proper manner.

-- Thanks,
Ashesh Vashi

>
>

> I re-added the hackers list for any other opinions.
>
>
>
> --
>
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> <http://www.enterprisedb.com>
>
>
> *http://www.linkedin.com/in/asheshvashi*
> <http://www.linkedin.com/in/asheshvashi>
>
> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Don't quote variable values used by SET. It's usually going to be wrong.
>> Fixes #3027
>>
>> Branch
>> ------
>> master
>>
>> Details
>> -------
>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif
>> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>
>> Modified Files
>> --------------
>> .../databases/schemas/templates/macros/functions/variable.macros |
>> 2 +-
>> .../browser/server_groups/servers/templates/macros/variable.macros |
>> 4 ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>>
>