Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d8N6X-000734-JO for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:36:17 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84_2) (envelope-from ) id 1d8N6X-0005VD-6G for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:36:17 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1d8N6I-00056Z-R8 for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:36:02 +0000 Received: from mail-io0-x230.google.com ([2607:f8b0:4001:c06::230]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from ) id 1d8N6G-0001GS-2P for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:36:01 +0000 Received: by mail-io0-x230.google.com with SMTP id p24so8951402ioi.0 for ; Wed, 10 May 2017 01:35:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WbE46gLjJ61k5DL/Gae3/TJxwg+n3EevUXIsNXmicDA=; b=sjUgMRonnXZ8Xaix/t5GwfrUr88bnBaUoZ5rYe9uXub4kimWUvVKq8p52Xr2hStFZI nFr1+Z3aNIqq/v/hicIlywd4qi2OgUVnSx9nCvL0rpKGCDejghk0ZIZyjWlGBrseDW9d gSg4A2Udh25KwVSLlt1jhObbnRtJhR1/bWgfAc+SYpXePWD3+R8X+jwFka0KrOgLczgz 2jryY0XSR42nHSa6NnTTt5EwV0haBUd58OTkjHhebi4JtC0Vertz5IOjnBn3QMUVm+RH zDKAL4yFaNOa0v/LvVfTjQQqh5TbVQy/+SwcnEYQWgj8W8+6jqznaWWMKSBlXn7bQvke GlLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WbE46gLjJ61k5DL/Gae3/TJxwg+n3EevUXIsNXmicDA=; b=qNwTZHENd1W2qgjmT9xqThVTc/yQp7BxaSNXL9O3zj5hTKKysI7z2fZfeqBIim88oZ 6chY/5WdSenhQe9n52Fc2an6vJUxkZJ3YoGsm9247v5X3x04OpBFykzBNHGbFlDnc+5E T7g9l5TbKbuANNYi7nLU4V5wtgnyLI4Bn8UDItXnvIDHVsGk7H2EVGNvlbgH/cj36hLk 7PmvYXkRunBlYuYqzvO6NqbxvyQV02ilWXYHIujs9TGQFfPUsPMJ6J85m44eT+dGdVDR xCVHd6P+kGSEJEXNxf4vCCBX3qT0SuAcG3Eq7iPtCFoxfTJQ5phqfoBMSxsW4Js0yXXB TV3g== X-Gm-Message-State: AODbwcBdLDoEFLhBEXGB5BSrfXwx/5QmCjoKxFYtWtQSIkTJXIjP45ie eU+x8dQlNU4ma27PKaPlMtAUQb4hRA== X-Received: by 10.107.13.16 with SMTP id 16mr2208218ion.144.1494405358863; Wed, 10 May 2017 01:35:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.174.167 with HTTP; Wed, 10 May 2017 01:35:58 -0700 (PDT) In-Reply-To: References: From: Dave Page Date: Wed, 10 May 2017 09:35:58 +0100 Message-ID: Subject: Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes To: Ashesh Vashi Cc: Andrei Antonov , pgadmin-hackers Content-Type: multipart/alternative; boundary=001a1140a35890e0bf054f275cc1 X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org --001a1140a35890e0bf054f275cc1 Content-Type: text/plain; charset=UTF-8 BTW; Ashesh, can you please ensure there's an RM ticket for this, as it's obviously of interest to users. Thanks. On Wed, May 10, 2017 at 9:06 AM, Dave Page wrote: > > > On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi < > ashesh.vashi@enterprisedb.com> wrote: > >> On Wed, May 10, 2017 at 1:29 PM, Dave Page wrote: >> >>> >>> >>> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi < >>> ashesh.vashi@enterprisedb.com> wrote: >>> >>>> Thanks. >>>> Committed! >>>> >>> >>> I agree with the change from a preventative/safety perspective, though >>> I'm struggling to classify it as a security issue, given that collections >>> are always named by the code and not from user input. >>> >>> Am I missing something? >>> >> True - but not the case with the server-group. >> It is a collection node, still has it's own label. >> > > Ahh, yes. > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company --001a1140a35890e0bf054f275cc1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
BTW; Ashesh, can you please ensure there's an RM ticke= t for this, as it's obviously of interest to users.

= Thanks.

On Wed, May 10, 2017 at 9:06 AM, Dave Page <dpage@pgadmin.org> wrote:


On Wed,= May 10, 2017 at 9:00 AM, Ashesh Vashi <ashesh.vashi@enterpris= edb.com> wrote:
On W= ed, May 10, 2017 at 1:29 PM, Dave Page <dpage@pgadmin.org> w= rote:


On Wed, May 10, 2017 at 8:56 AM= , Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:
Thanks.
C= ommitted!

I agree with the chan= ge from a preventative/safety perspective, though I'm struggling to cla= ssify it as a security issue, given that collections are always named by th= e code and not from user input.=C2=A0

Am = I missing something?
True - but n= ot the case with the server-group.
It is a collection node, still= has it's own label.

Ahh, yes.=C2=A0

-- =
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
=
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



--
Dave Page
Blog: = http://pgsnake.bl= ogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com<= br>The Enterprise PostgreSQL Company
--001a1140a35890e0bf054f275cc1--