Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28879=pgadmin-hackers-arka@postgresql.org>)
	id 1d8Mdu-00056q-Ah
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:06:42 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28879=pgadmin-hackers-arka@postgresql.org>)
	id 1d8Mdt-0004qU-Tj
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:06:41 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <dpage@pgadmin.org>)
	id 1d8Mds-0004lh-VG
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:06:41 +0000
Received: from mail-it0-x232.google.com ([2607:f8b0:4001:c0b::232])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.84_2)
	(envelope-from <dpage@pgadmin.org>)
	id 1d8Mdl-0004X2-JB
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:06:40 +0000
Received: by mail-it0-x232.google.com with SMTP id o5so20081386ith.1
        for <pgadmin-hackers@postgresql.org>;
 Wed, 10 May 2017 01:06:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pgadmin-org.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=LTm7cK7nJEGeCzNWls1wZDu5PJQQ5TvSQ7btrXYSm+k=;
        b=spsnzA8vWKT+iPenDBnnKVR3AFTfjkwYIebKjuDIsNZgWJZRnKe6GHKDh2CB5EVovl
         LsAAJBi5+dOMRpGAlEAJaejri8L8yvN/eP4BdKoGu2SLmBCGCHR2QdAq2thoG/JoJ9q2
         +0t1ogvaeEL6XnLV6C9jYKmzx5nJysHIIrHJBMwXr2BeC7X6KNudfOCIejbmudqV5edn
         SXIxwyRqTCOvr79/5AfRaTvr6AGgO9/c3h8r49wA6L1CKu0+wdoSJEPiKBlCiySs01pz
         YjJupsLIqv1YdO3+fyE6z37/vSVzYZG5SxpoR5NgSW5AN5q/4JqN36r31wRCMIO/0uLA
         NM4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=LTm7cK7nJEGeCzNWls1wZDu5PJQQ5TvSQ7btrXYSm+k=;
        b=QLGYpNJwDgWZFfoIxbBWaaE+tcItDwwJN/a9inM++22hAjERIGXXZxJDkYRW0bs46O
         0CWmcu1rERrIbEfDeWJcrN427PbCNlXPqxulDpP+M1k5XjKeJUyIOmsCp3ACoiaAndwi
         9ogmUhD4zhHlcGe9KhwEfAzSwrHuY0M1AAPtsDcBTU1EgWXVWiK1hj07wkrAt9qQzFSZ
         j6rvOBW8Kf+xcu9J1sq0Z06ChK2NsaqznP7/HIKwSc2IpRlM9y8IWRu2eKKGlQxguL0d
         mMC0CBWCgWhrfGtlUW9MrFF+tF009Il7MjiUiJtkVMo2pa+bEpDcu8fX6lvj6k7H5GFf
         AAfg==
X-Gm-Message-State: AODbwcCv7gimaCnXd1DoYjyMsHcuphFW4R8SDv7f5IfXWqoHt1E44hyc
	1/Dhz/miQYE5h3lYaOOrtRS6p8wPXw==
X-Received: by 10.36.193.134 with SMTP id e128mr3811347itg.43.1494403591644;
 Wed, 10 May 2017 01:06:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.174.167 with HTTP; Wed, 10 May 2017 01:06:30 -0700 (PDT)
In-Reply-To: 
 <CAG7mmoz8HSMBZcA+mpY_dzkJP6MZbWf44EHh3OBGutRzQDCDXQ@mail.gmail.com>
References: <b6c79719012594bfe674b809337298b1@imp-m.ru>
 <CAG7mmoygGeXaeV9WT3cBtLKf_4qsdFBvivUZyp1pbkxmh3mUkw@mail.gmail.com>
 <CA+OCxoxHMMzgFCQ8hmMx9AtoYcRpVO2KJqLKJNWMf9=KYEJ7qw@mail.gmail.com>
 <CAG7mmoz8HSMBZcA+mpY_dzkJP6MZbWf44EHh3OBGutRzQDCDXQ@mail.gmail.com>
From: Dave Page <dpage@pgadmin.org>
Date: Wed, 10 May 2017 09:06:30 +0100
Message-ID: 
 <CA+OCxowGKGo+cVpKV6q8HzNdz0cZYEo+HQhwDrG6D2owbitqeQ@mail.gmail.com>
Subject: Re: security bug (with patch-fix) -- need more
 HTML-escaping for working with tree-nodes
To: Ashesh Vashi <ashesh.vashi@enterprisedb.com>
Cc: Andrei Antonov <antonov@imp-m.ru>,
 pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary=94eb2c08ebd23b6b4d054f26f329
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgadmin-hackers>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgadmin-hackers.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@postgresql.org>
List-Post: <mailto:pgadmin-hackers@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgadmin-hackers>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgadmin-hackers>
X-Mailing-List: pgadmin-hackers
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--94eb2c08ebd23b6b4d054f26f329
Content-Type: text/plain; charset=UTF-8

On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com
> wrote:

> On Wed, May 10, 2017 at 1:29 PM, Dave Page <dpage@pgadmin.org> wrote:
>
>>
>>
>> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <
>> ashesh.vashi@enterprisedb.com> wrote:
>>
>>> Thanks.
>>> Committed!
>>>
>>
>> I agree with the change from a preventative/safety perspective, though
>> I'm struggling to classify it as a security issue, given that collections
>> are always named by the code and not from user input.
>>
>> Am I missing something?
>>
> True - but not the case with the server-group.
> It is a collection node, still has it's own label.
>

Ahh, yes.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--94eb2c08ebd23b6b4d054f26f329
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi <span dir=3D"ltr">&lt;<a =
href=3D"mailto:ashesh.vashi@enterprisedb.com" target=3D"_blank">ashesh.vash=
i@enterprisedb.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><spa=
n class=3D"">On Wed, May 10, 2017 at 1:29 PM, Dave Page <span dir=3D"ltr">&=
lt;<a href=3D"mailto:dpage@pgadmin.org" target=3D"_blank">dpage@pgadmin.org=
</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><=
br><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, May 10=
, 2017 at 8:56 AM, Ashesh Vashi <span dir=3D"ltr">&lt;<a href=3D"mailto:ash=
esh.vashi@enterprisedb.com" target=3D"_blank">ashesh.vashi@enterprisedb.com=
</a><wbr>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"l=
tr">Thanks.<div>Committed!</div></div></blockquote><div><br></div><div>I ag=
ree with the change from a preventative/safety perspective, though I&#39;m =
struggling to classify it as a security issue, given that collections are a=
lways named by the code and not from user input.=C2=A0</div></div><br clear=
=3D"all"><div>Am I missing something?</div></div></div></blockquote></span>=
<div>True - but not the case with the server-group.</div><div>It is a colle=
ction node, still has it&#39;s own label.</div></div></div></div></blockquo=
te><div><br></div><div>Ahh, yes.=C2=A0</div></div><div><br></div>-- <br><di=
v class=3D"gmail_signature" data-smartmail=3D"gmail_signature">Dave Page<br=
>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"_blank">http://pgs=
nake.blogspot.com</a><br>Twitter: @pgsnake<br><br>EnterpriseDB UK: <a href=
=3D"http://www.enterprisedb.com" target=3D"_blank">http://www.enterprisedb.=
com</a><br>The Enterprise PostgreSQL Company<br></div>
</div></div>

--94eb2c08ebd23b6b4d054f26f329--