Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28890=pgadmin-hackers-arka@postgresql.org>)
	id 1d8NHv-0007mR-0x
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:48:03 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28890=pgadmin-hackers-arka@postgresql.org>)
	id 1d8NHu-0006AV-Ji
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:48:02 +0000
Received: from makus.postgresql.org ([2001:4800:1501:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <ashesh.vashi@enterprisedb.com>)
	id 1d8NHg-0005lk-9L
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:47:48 +0000
Received: from mail-io0-x231.google.com ([2607:f8b0:4001:c06::231])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.84_2)
	(envelope-from <ashesh.vashi@enterprisedb.com>)
	id 1d8NHd-0001V7-3l
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:47:47 +0000
Received: by mail-io0-x231.google.com with SMTP id k91so9079200ioi.1
        for <pgadmin-hackers@postgresql.org>;
 Wed, 10 May 2017 01:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Ubuqkgqx63kk9q499HpSwBTCXsovvNTTRSC7nGHQLbI=;
        b=r4r9B9uqycCUNjQF/243Bvcs151iqbzKsh4F47NGUdgwI05bzIe85hI1jRAunD2Cbl
         Vasb/zeiMZhXbi6D5mnffB9lEysRRk2ttuTk5byt76lpIz37m2AyQyzLIrw0vvb7tTRN
         p2Qh3wZpJP0GqOAx4jQIckofz1cY9f1qy7jV1hRJLkFLpFxW7PcAEaz3lml2/7k/8U25
         EdXUOCjoxYnPzByMklKTZWFtziEp0xC8u/EmsDKe5sTl5qtWXDDCA1rW0GXj8zSIOwh3
         HVQ8mgwKrFqOLUJFVM1fo87ERO8bnbtZjM4k4m4cB8FM8JV8MJqyAlQmoJ/l7AkR9b31
         7tPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Ubuqkgqx63kk9q499HpSwBTCXsovvNTTRSC7nGHQLbI=;
        b=oiC5cTYmG74RCS4SovetjllQNsX9h+sjsbZwBy7NV3R2jW2x1QG2LJYk+mf8uTwphT
         q0lbHaQwhQ0q/tFSVF90JOOwcJNlx8P0glt7hfyaHNCD5fKkfquAeMrwYLHbzy8gRQ/y
         v1Kyl1Fk8b4F1xJ0GPR4+ksTD8QzJAy9TshyQ98gPnpIRtWm7xhTV4itHY6MjzIrRoy2
         aHk+NnntQ3Wgp5KbXH08rM2VXjFl6Q6G7bsGbC7vi/uRrLXTzGwFFOpHpdRK1gep52lf
         PJMDadlG9+7+FIiR6+x8LkjO3VwpyPcuwnEosKWPHR7BtznolsaeZ9alvFHNVhfm+XB7
         cqQA==
X-Gm-Message-State: AODbwcDjp6EhamrRcj0fW6NI9z3utpNW6QH3faXNAxlE8QQ7Dedc5wL4
	BAS7LbGgWEZJFxn/Lgxjq66IOYPiEktX
X-Received: by 10.107.48.144 with SMTP id w138mr2525869iow.30.1494406064274;
 Wed, 10 May 2017 01:47:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.133.155 with HTTP; Wed, 10 May 2017 01:47:42 -0700 (PDT)
Received: by 10.107.133.155 with HTTP; Wed, 10 May 2017 01:47:42 -0700 (PDT)
In-Reply-To: 
 <CA+OCxozF-WX_y2cPuf9g8X9V=RFU1r6mciam+8uTK1VgVG9NnA@mail.gmail.com>
References: <b6c79719012594bfe674b809337298b1@imp-m.ru>
 <CAG7mmoygGeXaeV9WT3cBtLKf_4qsdFBvivUZyp1pbkxmh3mUkw@mail.gmail.com>
 <CA+OCxoxHMMzgFCQ8hmMx9AtoYcRpVO2KJqLKJNWMf9=KYEJ7qw@mail.gmail.com>
 <CAG7mmoz8HSMBZcA+mpY_dzkJP6MZbWf44EHh3OBGutRzQDCDXQ@mail.gmail.com>
 <CA+OCxowGKGo+cVpKV6q8HzNdz0cZYEo+HQhwDrG6D2owbitqeQ@mail.gmail.com>
 <CA+OCxozF-WX_y2cPuf9g8X9V=RFU1r6mciam+8uTK1VgVG9NnA@mail.gmail.com>
From: Ashesh Vashi <ashesh.vashi@enterprisedb.com>
Date: Wed, 10 May 2017 14:17:42 +0530
Message-ID: 
 <CAG7mmoyoJeQLyjjofEcX+mOv3D+Nch0JwMvYuL3jGwjVnTM86g@mail.gmail.com>
Subject: Re: security bug (with patch-fix) -- need more
 HTML-escaping for working with tree-nodes
To: Dave Page <dpage@pgadmin.org>
Cc: Andrei Antonov <antonov@imp-m.ru>,
 pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary=001a11444bd49c912d054f2786e7
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgadmin-hackers>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgadmin-hackers.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@postgresql.org>
List-Post: <mailto:pgadmin-hackers@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgadmin-hackers>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgadmin-hackers>
X-Mailing-List: pgadmin-hackers
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--001a11444bd49c912d054f2786e7
Content-Type: text/plain; charset=UTF-8

Sure - I will create one.

On May 10, 2017 14:05, "Dave Page" <dpage@pgadmin.org> wrote:

> BTW; Ashesh, can you please ensure there's an RM ticket for this, as it's
> obviously of interest to users.
>
> Thanks.
>
> On Wed, May 10, 2017 at 9:06 AM, Dave Page <dpage@pgadmin.org> wrote:
>
>>
>>
>> On Wed, May 10, 2017 at 9:00 AM, Ashesh Vashi <
>> ashesh.vashi@enterprisedb.com> wrote:
>>
>>> On Wed, May 10, 2017 at 1:29 PM, Dave Page <dpage@pgadmin.org> wrote:
>>>
>>>>
>>>>
>>>> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <
>>>> ashesh.vashi@enterprisedb.com> wrote:
>>>>
>>>>> Thanks.
>>>>> Committed!
>>>>>
>>>>
>>>> I agree with the change from a preventative/safety perspective, though
>>>> I'm struggling to classify it as a security issue, given that collections
>>>> are always named by the code and not from user input.
>>>>
>>>> Am I missing something?
>>>>
>>> True - but not the case with the server-group.
>>> It is a collection node, still has it's own label.
>>>
>>
>> Ahh, yes.
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EnterpriseDB UK: http://www.enterprisedb.com
>> The Enterprise PostgreSQL Company
>>
>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

--001a11444bd49c912d054f2786e7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Sure - I will create one.=C2=A0</div><div class=3D"gmail_=
extra"><br><div class=3D"gmail_quote">On May 10, 2017 14:05, &quot;Dave Pag=
e&quot; &lt;<a href=3D"mailto:dpage@pgadmin.org">dpage@pgadmin.org</a>&gt; =
wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"l=
tr">BTW; Ashesh, can you please ensure there&#39;s an RM ticket for this, a=
s it&#39;s obviously of interest to users.<div><br></div><div>Thanks.</div>=
</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, May=
 10, 2017 at 9:06 AM, Dave Page <span dir=3D"ltr">&lt;<a href=3D"mailto:dpa=
ge@pgadmin.org" target=3D"_blank">dpage@pgadmin.org</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><br><div class=3D"gmail_e=
xtra"><br><div class=3D"gmail_quote"><span>On Wed, May 10, 2017 at 9:00 AM,=
 Ashesh Vashi <span dir=3D"ltr">&lt;<a href=3D"mailto:ashesh.vashi@enterpri=
sedb.com" target=3D"_blank">ashesh.vashi@enterprisedb.com</a><wbr>&gt;</spa=
n> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;b=
order-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"=
gmail_extra"><div class=3D"gmail_quote"><span>On Wed, May 10, 2017 at 1:29 =
PM, Dave Page <span dir=3D"ltr">&lt;<a href=3D"mailto:dpage@pgadmin.org" ta=
rget=3D"_blank">dpage@pgadmin.org</a>&gt;</span> wrote:<br><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad=
ding-left:1ex"><div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div cla=
ss=3D"gmail_quote">On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <span dir=
=3D"ltr">&lt;<a href=3D"mailto:ashesh.vashi@enterprisedb.com" target=3D"_bl=
ank">ashesh.vashi@enterprisedb.com</a><wbr>&gt;</span> wrote:<br><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex"><div dir=3D"ltr">Thanks.<div>Committed!</div></div></b=
lockquote><div><br></div><div>I agree with the change from a preventative/s=
afety perspective, though I&#39;m struggling to classify it as a security i=
ssue, given that collections are always named by the code and not from user=
 input.=C2=A0</div></div><br clear=3D"all"><div>Am I missing something?</di=
v></div></div></blockquote></span><div>True - but not the case with the ser=
ver-group.</div><div>It is a collection node, still has it&#39;s own label.=
</div></div></div></div></blockquote><div><br></div></span><div>Ahh, yes.=
=C2=A0</div></div><span><div><br></div>-- <br><div class=3D"m_-520692664320=
6819383m_-4906115164570237015gmail_signature" data-smartmail=3D"gmail_signa=
ture">Dave Page<br>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"=
_blank">http://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br><br>Enterpr=
iseDB UK: <a href=3D"http://www.enterprisedb.com" target=3D"_blank">http://=
www.enterprisedb.com</a><br>The Enterprise PostgreSQL Company<br></div>
</span></div></div>
</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div class=
=3D"m_-5206926643206819383gmail_signature" data-smartmail=3D"gmail_signatur=
e">Dave Page<br>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"_bl=
ank">http://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br><br>Enterprise=
DB UK: <a href=3D"http://www.enterprisedb.com" target=3D"_blank">http://www=
.enterprisedb.com</a><br>The Enterprise PostgreSQL Company<br></div>
</div>
</blockquote></div></div>

--001a11444bd49c912d054f2786e7--