public inbox for [email protected]help / color / mirror / Atom feed
security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes 7+ messages / 3 participants [nested] [flat]
* security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-09 19:36 Andrei Antonov <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Andrei Antonov @ 2017-05-09 19:36 UTC (permalink / raw) To: pgadmin-hackers good day! i fixed tiny errors (html-escaping) , but it has security effects. see file "0001-escape-label-of-node-of-tree-when-events-add-remove-.patch" [ https://github.com/postgres-impulsm/pgadmin4/commit/f993513d148fc6dd7e0196261f847e668d5e2c6c ] -- Андрей Антонов, инженер-программист Отдела информационных технологий и программирования, компания «Импульс М» -- Sent via pgadmin-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgadmin-hackers Attachments: [text/x-diff] 0001-escape-label-of-node-of-tree-when-events-add-remove-.patch (1.7K, 2-0001-escape-label-of-node-of-tree-when-events-add-remove-.patch) download | inline diff: From f993513d148fc6dd7e0196261f847e668d5e2c6c Mon Sep 17 00:00:00 2001 From: Andrei Antonov <[email protected]> Date: Tue, 9 May 2017 22:18:54 +0300 Subject: [PATCH] escape label of node of tree, when events: add\remove\unload --- web/pgadmin/browser/templates/browser/js/node.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/pgadmin/browser/templates/browser/js/node.js b/web/pgadmin/browser/templates/browser/js/node.js index e337fec0..ff8bc09f 100644 --- a/web/pgadmin/browser/templates/browser/js/node.js +++ b/web/pgadmin/browser/templates/browser/js/node.js @@ -743,7 +743,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) { t.setLabel( pItem, { label: ( - pData._label + ' <span>(' + pData.collection_count + ')</span>' + _.escape(pData._label) + ' <span>(' + pData.collection_count + ')</span>' ) } ); @@ -821,7 +821,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) { t.setLabel( pItem, { label: ( - pData._label + ' <span>(' + pData.collection_count + ')</span>' + _.escape(pData._label) + ' <span>(' + pData.collection_count + ')</span>' ) } ); @@ -838,7 +838,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) { if (self.is_collection && 'collection_count' in data) { delete data.collection_count; - t.setLabel(item, {label: data._label}); + t.setLabel(item, {label: _.escape(data._label)}); } }, refresh: function(cmd, i) { -- 2.12.2 ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 07:56 Ashesh Vashi <[email protected]> parent: Andrei Antonov <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Ashesh Vashi @ 2017-05-10 07:56 UTC (permalink / raw) To: Andrei Antonov <[email protected]>; +Cc: pgadmin-hackers Thanks. Committed! -- Thanks & Regards, Ashesh Vashi EnterpriseDB INDIA: Enterprise PostgreSQL Company <http://www.enterprisedb.com; *http://www.linkedin.com/in/asheshvashi* <http://www.linkedin.com/in/asheshvashi; 2017-05-10 1:06 GMT+05:30 Andrei Antonov <[email protected]>: > good day! > > i fixed tiny errors (html-escaping) , but it has security effects. > > see file "0001-escape-label-of-node-of-tree-when-events-add-remove-.patch" > [ https://github.com/postgres-impulsm/pgadmin4/commit/f993513d > 148fc6dd7e0196261f847e668d5e2c6c ] > > > > > -- > Андрей Антонов, > инженер-программист Отдела информационных технологий и программирования, > компания «Импульс М» > > -- > Sent via pgadmin-hackers mailing list ([email protected]) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgadmin-hackers > > ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 07:59 Dave Page <[email protected]> parent: Ashesh Vashi <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Dave Page @ 2017-05-10 07:59 UTC (permalink / raw) To: Ashesh Vashi <[email protected]>; +Cc: Andrei Antonov <[email protected]>; pgadmin-hackers On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <[email protected] > wrote: > Thanks. > Committed! > I agree with the change from a preventative/safety perspective, though I'm struggling to classify it as a security issue, given that collections are always named by the code and not from user input. Am I missing something? -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 08:00 Ashesh Vashi <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Ashesh Vashi @ 2017-05-10 08:00 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: Andrei Antonov <[email protected]>; pgadmin-hackers On Wed, May 10, 2017 at 1:29 PM, Dave Page <[email protected]> wrote: > > > On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi < > [email protected]> wrote: > >> Thanks. >> Committed! >> > > I agree with the change from a preventative/safety perspective, though I'm > struggling to classify it as a security issue, given that collections are > always named by the code and not from user input. > > Am I missing something? > True - but not the case with the server-group. It is a collection node, still has it's own label. -- Thanks, Ashesh > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 08:06 Dave Page <[email protected]> parent: Ashesh Vashi <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Dave Page @ 2017-05-10 08:06 UTC (permalink / raw) To: Ashesh Vashi <[email protected]>; +Cc: Andrei Antonov <[email protected]>; pgadmin-hackers On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi <[email protected] > wrote: > On Wed, May 10, 2017 at 1:29 PM, Dave Page <[email protected]> wrote: > >> >> >> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi < >> [email protected]> wrote: >> >>> Thanks. >>> Committed! >>> >> >> I agree with the change from a preventative/safety perspective, though >> I'm struggling to classify it as a security issue, given that collections >> are always named by the code and not from user input. >> >> Am I missing something? >> > True - but not the case with the server-group. > It is a collection node, still has it's own label. > Ahh, yes. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 08:35 Dave Page <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 1 reply; 7+ messages in thread From: Dave Page @ 2017-05-10 08:35 UTC (permalink / raw) To: Ashesh Vashi <[email protected]>; +Cc: Andrei Antonov <[email protected]>; pgadmin-hackers BTW; Ashesh, can you please ensure there's an RM ticket for this, as it's obviously of interest to users. Thanks. On Wed, May 10, 2017 at 9:06 AM, Dave Page <[email protected]> wrote: > > > On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi < > [email protected]> wrote: > >> On Wed, May 10, 2017 at 1:29 PM, Dave Page <[email protected]> wrote: >> >>> >>> >>> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi < >>> [email protected]> wrote: >>> >>>> Thanks. >>>> Committed! >>>> >>> >>> I agree with the change from a preventative/safety perspective, though >>> I'm struggling to classify it as a security issue, given that collections >>> are always named by the code and not from user input. >>> >>> Am I missing something? >>> >> True - but not the case with the server-group. >> It is a collection node, still has it's own label. >> > > Ahh, yes. > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes @ 2017-05-10 08:47 Ashesh Vashi <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 0 replies; 7+ messages in thread From: Ashesh Vashi @ 2017-05-10 08:47 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: Andrei Antonov <[email protected]>; pgadmin-hackers Sure - I will create one. On May 10, 2017 14:05, "Dave Page" <[email protected]> wrote: > BTW; Ashesh, can you please ensure there's an RM ticket for this, as it's > obviously of interest to users. > > Thanks. > > On Wed, May 10, 2017 at 9:06 AM, Dave Page <[email protected]> wrote: > >> >> >> On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi < >> [email protected]> wrote: >> >>> On Wed, May 10, 2017 at 1:29 PM, Dave Page <[email protected]> wrote: >>> >>>> >>>> >>>> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi < >>>> [email protected]> wrote: >>>> >>>>> Thanks. >>>>> Committed! >>>>> >>>> >>>> I agree with the change from a preventative/safety perspective, though >>>> I'm struggling to classify it as a security issue, given that collections >>>> are always named by the code and not from user input. >>>> >>>> Am I missing something? >>>> >>> True - but not the case with the server-group. >>> It is a collection node, still has it's own label. >>> >> >> Ahh, yes. >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK: http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> > > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > ^ permalink raw reply [nested|flat] 7+ messages in thread
end of thread, other threads:[~2017-05-10 08:47 UTC | newest] Thread overview: 7+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2017-05-09 19:36 security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes Andrei Antonov <[email protected]> 2017-05-10 07:56 ` Ashesh Vashi <[email protected]> 2017-05-10 07:59 ` Dave Page <[email protected]> 2017-05-10 08:00 ` Ashesh Vashi <[email protected]> 2017-05-10 08:06 ` Dave Page <[email protected]> 2017-05-10 08:35 ` Dave Page <[email protected]> 2017-05-10 08:47 ` Ashesh Vashi <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox