Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d8MUm-0004X5-V6 for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 07:57:17 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84_2) (envelope-from ) id 1d8MUm-0005iB-Hk for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 07:57:16 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1d8MUl-0005f1-RB for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 07:57:15 +0000 Received: from mail-io0-x22d.google.com ([2607:f8b0:4001:c06::22d]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from ) id 1d8MUi-0000WE-Qi for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 07:57:14 +0000 Received: by mail-io0-x22d.google.com with SMTP id k91so8470644ioi.1 for ; Wed, 10 May 2017 00:57:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tYKtDp4qbwastlTTJ2vDOs2bG34t+Bso92jSwnLgcEY=; b=0XEfCFVBgbg+X29xElhhy6KVBb/Gsx/TPq2OG2MDl1qiXnqt4oVwVX1mruPcXAdal2 KTieSl5blGRIN3R76VkMdv/MzqqDVNlbYg+R3cfSUaGgUQsHv90qyVf3+3ey0qzoCUoF +EbIpowBz9IAMR0i1UmT6B4rkubVFhfB7EX49RIGswQDbjkoMP4gZOwFnDnhApAN91pG tA+F+tufmIVFmqO/+Uw6T346ErfjR//S2+ODg7wn2AqMgpJslKpvl7A9rMtsncFSNTAP KqaFjiT03SLOrBAIBT6ojcpubN3Lhx06Oa5J2Ok56xhrHATce1lLYEGW6IDJ5PtF/PRO 11oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tYKtDp4qbwastlTTJ2vDOs2bG34t+Bso92jSwnLgcEY=; b=nECSSVsYijBuFue/L7PhwSqGurNxvcIEtOD4jt4uvwF0HPqUuMT1XVSFZVtpcY20Qr r0HqECrWkL7oQHPjgd3xoI7R+7aJV81NqRxnHT3NrsjqYQRk44zwdAYte3RfNU37CRX7 9MYED6rBXPfvHaeImBUmEVQoayzlt4tww6frdc6xV30l9gz9TZON+aH3uAitCQRz3dBt ms2qaqJkQ1JCOuLWWK4lvhV5p1J8t8wLS17EnrXiemfmiIyhyMhK3H+fv/A0G0o8UXPm xgpU7W348nfIu2XtlGYtUg1Skpr7zD6JrUgXlUUi0trfGTsZXgdPCK8EoaC/StNekXhC bnnA== X-Gm-Message-State: AODbwcCGx+b9A2d7JW4Rr3qlGPmpTznFytD161InuC6RiI2+8F2qN3Zw ldrnSsqlEkIUVzTBaSA3T5XrKx7CrUdi X-Received: by 10.107.48.144 with SMTP id w138mr2380971iow.30.1494403032013; Wed, 10 May 2017 00:57:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.133.155 with HTTP; Wed, 10 May 2017 00:56:51 -0700 (PDT) In-Reply-To: References: From: Ashesh Vashi Date: Wed, 10 May 2017 13:26:51 +0530 Message-ID: Subject: Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes To: Andrei Antonov Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary=001a11444bd4e02a0f054f26d1e4 X-Pg-Spam-Score: -1.2 (-) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org --001a11444bd4e02a0f054f26d1e4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 VGhhbmtzLg0KQ29tbWl0dGVkIQ0KDQotLQ0KDQpUaGFua3MgJiBSZWdhcmRzLA0KDQpBc2hlc2gg VmFzaGkNCkVudGVycHJpc2VEQiBJTkRJQTogRW50ZXJwcmlzZSBQb3N0Z3JlU1FMIENvbXBhbnkN CjxodHRwOi8vd3d3LmVudGVycHJpc2VkYi5jb20+DQoNCg0KKmh0dHA6Ly93d3cubGlua2VkaW4u Y29tL2luL2FzaGVzaHZhc2hpKg0KPGh0dHA6Ly93d3cubGlua2VkaW4uY29tL2luL2FzaGVzaHZh c2hpPg0KDQoyMDE3LTA1LTEwIDE6MDYgR01UKzA1OjMwIEFuZHJlaSBBbnRvbm92IDxhbnRvbm92 QGltcC1tLnJ1PjoNCg0KPiBnb29kIGRheSENCj4NCj4gaSBmaXhlZCB0aW55IGVycm9ycyAoaHRt bC1lc2NhcGluZykgLCBidXQgaXQgaGFzIHNlY3VyaXR5IGVmZmVjdHMuDQo+DQo+IHNlZSBmaWxl ICIwMDAxLWVzY2FwZS1sYWJlbC1vZi1ub2RlLW9mLXRyZWUtd2hlbi1ldmVudHMtYWRkLXJlbW92 ZS0ucGF0Y2giDQo+IFsgaHR0cHM6Ly9naXRodWIuY29tL3Bvc3RncmVzLWltcHVsc20vcGdhZG1p bjQvY29tbWl0L2Y5OTM1MTNkDQo+IDE0OGZjNmRkN2UwMTk2MjYxZjg0N2U2NjhkNWUyYzZjIF0N Cj4NCj4NCj4NCj4NCj4gLS0NCj4g0JDQvdC00YDQtdC5INCQ0L3RgtC+0L3QvtCyLA0KPiDQuNC9 0LbQtdC90LXRgC3Qv9GA0L7Qs9GA0LDQvNC80LjRgdGCINCe0YLQtNC10LvQsCDQuNC90YTQvtGA 0LzQsNGG0LjQvtC90L3Ri9GFINGC0LXRhdC90L7Qu9C+0LPQuNC5INC4INC/0YDQvtCz0YDQsNC8 0LzQuNGA0L7QstCw0L3QuNGPLA0KPiDQutC+0LzQv9Cw0L3QuNGPIMKr0JjQvNC/0YPQu9GM0YEg 0JzCuw0KPg0KPiAtLQ0KPiBTZW50IHZpYSBwZ2FkbWluLWhhY2tlcnMgbWFpbGluZyBsaXN0IChw Z2FkbWluLWhhY2tlcnNAcG9zdGdyZXNxbC5vcmcpDQo+IFRvIG1ha2UgY2hhbmdlcyB0byB5b3Vy IHN1YnNjcmlwdGlvbjoNCj4gaHR0cDovL3d3dy5wb3N0Z3Jlc3FsLm9yZy9tYWlscHJlZi9wZ2Fk bWluLWhhY2tlcnMNCj4NCj4NCg== --001a11444bd4e02a0f054f26d1e4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks.
Committed!

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company

<= br>

<= a href=3D"http://www.linkedin.com/in/asheshvashi" target=3D"_blank">http= ://www.linkedin.com/in/asheshvashi


2017-05-10 1:06 GMT+05:30 Andrei Antonov <an= tonov@imp-m.ru>:
good day= !

i fixed tiny errors (html-escaping) , but it has security effects.

see file "0001-escape-label-of-node-of-tree-when-events-add-remov= e-.patch" [ https://github.com/postgres-impulsm/pgadmin4/commit/f993= 513d148fc6dd7e0196261f847e668d5e2c6c ]=




--
=D0=90=D0=BD=D0=B4=D1=80=D0=B5=D0=B9 =D0=90=D0=BD=D1=82=D0=BE=D0=BD=D0=BE= =D0=B2,
=D0=B8=D0=BD=D0=B6=D0=B5=D0=BD=D0=B5=D1=80-=D0=BF=D1=80=D0=BE=D0=B3=D1=80= =D0=B0=D0=BC=D0=BC=D0=B8=D1=81=D1=82 =D0=9E=D1=82=D0=B4=D0=B5=D0=BB=D0=B0 = =D0=B8=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0=B0=D1=86=D0=B8=D0=BE=D0=BD=D0=BD=D1= =8B=D1=85 =D1=82=D0=B5=D1=85=D0=BD=D0=BE=D0=BB=D0=BE=D0=B3=D0=B8=D0=B9 =D0= =B8 =D0=BF=D1=80=D0=BE=D0=B3=D1=80=D0=B0=D0=BC=D0=BC=D0=B8=D1=80=D0=BE=D0= =B2=D0=B0=D0=BD=D0=B8=D1=8F,
=D0=BA=D0=BE=D0=BC=D0=BF=D0=B0=D0=BD=D0=B8=D1=8F =C2=AB=D0=98=D0=BC=D0=BF= =D1=83=D0=BB=D1=8C=D1=81 =D0=9C=C2=BB

--
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-ha= ckers


--001a11444bd4e02a0f054f26d1e4--