Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28874=pgadmin-hackers-arka@postgresql.org>)
	id 1d8MWt-0004eV-J8
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 07:59:27 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28874=pgadmin-hackers-arka@postgresql.org>)
	id 1d8MWt-0002Wo-61
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 07:59:27 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <dpage@pgadmin.org>)
	id 1d8MWe-0001iJ-FL
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 07:59:12 +0000
Received: from mail-it0-x233.google.com ([2607:f8b0:4001:c0b::233])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.84_2)
	(envelope-from <dpage@pgadmin.org>)
	id 1d8MWa-0004JG-3v
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 07:59:11 +0000
Received: by mail-it0-x233.google.com with SMTP id o5so19991122ith.1
        for <pgadmin-hackers@postgresql.org>;
 Wed, 10 May 2017 00:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pgadmin-org.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=RQi+KrYS/jA6w51FznxSv26NX8yciRvrfuiUCPjjsMI=;
        b=nj1bzASHMDXxx8AQVG+FcjmBwN8jA2vvql67wHBcgVwCWsMup6UUHxtuL0yTCKqHQV
         CgyQUpSDfNDRZhZgD/+qg0Rek0kiEZpaDcRDLwyydX02zO7FoGPyIWacrdHfRf2gZeNa
         cZ9aNpgasSZZ2Rm6nRclFiyDPH/2mOGIwUZcfja9xN8Tx3ZSgAQL5ZjDo7B9ABhyUk4b
         yJcr/25tDuMHVvC7wGTjYbxSXktjrpKf3gzSw/Sa1pCQZGP5Kunkh6sTpo/KKgYBOVAK
         lX+NP92MnxhDBXiX4shfCUfquq/h6fOYZtS7kf34prUqXhhWH7xq6pLLvKlsjuy/UfjJ
         94vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=RQi+KrYS/jA6w51FznxSv26NX8yciRvrfuiUCPjjsMI=;
        b=AtiPPMOxFCBSpwYfrg1iZTyH9DfMpwo3rc2syfN0DVEREpsxE0B53+pFKL8xen9VlL
         l7lVneRZhPQHziU8FmGhOW5zFJ7lOyREECCSjsRpal2EJVJuqxJFsWcXlRIOl9p/KglI
         90BiKv3eeUD2PQ2jGH28xy/NCFBK2LZuTmEEPqLnz+sBMU1vEI6lrgSV6yfN1fcf2aMx
         Fr78K0ruWNyRBExmKdlFpdlAuwEdBAVjihfWpp1gHTe0/NQ0uoNBLxQ2z4w9lXPE7sNk
         RAvVhlkCkB7dsOcoBslTN5sprBxRpiDhenXiXTe2ENGdi8d6p7MgGHomWmRhvrAMOAIG
         GeCQ==
X-Gm-Message-State: AODbwcDU3tXewPdezsWxhHRYctJm6VBqEaWHQnWZrgDXtah+EieNWhyr
	vJOFj372yin4j8//qX+11w0gtzBUOw==
X-Received: by 10.36.17.197 with SMTP id 188mr111288itf.28.1494403146501; Wed,
 10 May 2017 00:59:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.174.167 with HTTP; Wed, 10 May 2017 00:59:05 -0700 (PDT)
In-Reply-To: 
 <CAG7mmoygGeXaeV9WT3cBtLKf_4qsdFBvivUZyp1pbkxmh3mUkw@mail.gmail.com>
References: <b6c79719012594bfe674b809337298b1@imp-m.ru>
 <CAG7mmoygGeXaeV9WT3cBtLKf_4qsdFBvivUZyp1pbkxmh3mUkw@mail.gmail.com>
From: Dave Page <dpage@pgadmin.org>
Date: Wed, 10 May 2017 08:59:05 +0100
Message-ID: 
 <CA+OCxoxHMMzgFCQ8hmMx9AtoYcRpVO2KJqLKJNWMf9=KYEJ7qw@mail.gmail.com>
Subject: Re: security bug (with patch-fix) -- need more
 HTML-escaping for working with tree-nodes
To: Ashesh Vashi <ashesh.vashi@enterprisedb.com>
Cc: Andrei Antonov <antonov@imp-m.ru>,
 pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="001a11437efeb2fafc054f26d869"
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgadmin-hackers>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgadmin-hackers.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@postgresql.org>
List-Post: <mailto:pgadmin-hackers@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgadmin-hackers>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgadmin-hackers>
X-Mailing-List: pgadmin-hackers
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--001a11437efeb2fafc054f26d869
Content-Type: text/plain; charset="UTF-8"

On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <ashesh.vashi@enterprisedb.com
> wrote:

> Thanks.
> Committed!
>

I agree with the change from a preventative/safety perspective, though I'm
struggling to classify it as a security issue, given that collections are
always named by the code and not from user input.

Am I missing something?

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--001a11437efeb2fafc054f26d869
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <span dir=3D"ltr">&lt;<a =
href=3D"mailto:ashesh.vashi@enterprisedb.com" target=3D"_blank">ashesh.vash=
i@enterprisedb.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
<div dir=3D"ltr">Thanks.<div>Committed!</div></div></blockquote><div><br></=
div><div>I agree with the change from a preventative/safety perspective, th=
ough I&#39;m struggling to classify it as a security issue, given that coll=
ections are always named by the code and not from user input.=C2=A0</div></=
div><br clear=3D"all"><div>Am I missing something?</div><div><br></div>-- <=
br><div class=3D"gmail_signature" data-smartmail=3D"gmail_signature">Dave P=
age<br>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"_blank">http=
://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br><br>EnterpriseDB UK: <a=
 href=3D"http://www.enterprisedb.com" target=3D"_blank">http://www.enterpri=
sedb.com</a><br>The Enterprise PostgreSQL Company<br></div>
</div></div>

--001a11437efeb2fafc054f26d869--