From: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
---|---|
To: | Dave Page <dpage(at)pgadmin(dot)org> |
Cc: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
Subject: | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |
Date: | 2018-02-05 02:26:51 |
Message-ID: | CAG7mmow3XM_aRhCrCkKhe6f7nRcmbn21Q_82NG+LHaptUi2zjA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-hackers |
On Mon, Feb 5, 2018 at 1:35 AM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Hi
>
> On 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
> wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
>
>
> The user is already logged in, and could run the query tool anyway to do
> anything their privileges allow.
>
That's always there.
>
> Do you see an escalation vector that I’m missing?
>
I think - user can add any value (with space) for the variable of text type.
So - we need a mechanism to transform the value in a proper manner.
-- Thanks,
Ashesh Vashi
>
>
> I re-added the hackers list for any other opinions.
>
>
>
> --
>
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> <http://www.enterprisedb.com>
>
>
> *http://www.linkedin.com/in/asheshvashi*
> <http://www.linkedin.com/in/asheshvashi>
>
> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Don't quote variable values used by SET. It's usually going to be wrong.
>> Fixes #3027
>>
>> Branch
>> ------
>> master
>>
>> Details
>> -------
>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif
>> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>
>> Modified Files
>> --------------
>> .../databases/schemas/templates/macros/functions/variable.macros |
>> 2 +-
>> .../browser/server_groups/servers/templates/macros/variable.macros |
>> 4 ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2018-02-05 09:31:05 | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |
Previous Message | Dave Page | 2018-02-04 20:05:02 | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |