Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28875=pgadmin-hackers-arka@postgresql.org>)
	id 1d8MYy-0004q7-Ib
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:01:36 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M28875=pgadmin-hackers-arka@postgresql.org>)
	id 1d8MYy-0003oU-5E
	for pgadmin-hackers@arkaria.postgresql.org; Wed, 10 May 2017 08:01:36 +0000
Received: from makus.postgresql.org ([2001:4800:1501:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <ashesh.vashi@enterprisedb.com>)
	id 1d8MYj-0003Pf-Qg
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:01:21 +0000
Received: from mail-io0-x22c.google.com ([2607:f8b0:4001:c06::22c])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.84_2)
	(envelope-from <ashesh.vashi@enterprisedb.com>)
	id 1d8MYh-0000cl-06
	for pgadmin-hackers@postgresql.org; Wed, 10 May 2017 08:01:20 +0000
Received: by mail-io0-x22c.google.com with SMTP id f102so8461175ioi.2
        for <pgadmin-hackers@postgresql.org>;
 Wed, 10 May 2017 01:01:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=lv/YWyTzA8U7lIltdwIYny36jfMoMzL9UCc0JpFa9uI=;
        b=jRncIV2nM6l80P/3wLAPczAsIilsUIHdMEZ5bLaZ7cGYExx6OqicJh+PBGhNt+B/wQ
         K4HLr6uMac/O2iKkACfEcvq02CFm0Ia4FXeic21/NBPDBYbLK1dF/ipSzUk9e2zy+RUg
         f51Yx9FoJUtnvWLgLf8IHuoC24Wm0bzUEeoq5J8beC0ALZ74NU2+oCOalqPNCMevCM/A
         TaT416Z0ugoA3Hp1M84V0jb6r+K//DT7p1pEmO6mUvse/519olDYcK+Mr/zGW4j6//aA
         LoWhGOV2iNNRYzvRH2Xe6Zhz9W951XB/tomb7Pv3NTh/m20VaXdOoGnDypojcde8NP1Y
         NHKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=lv/YWyTzA8U7lIltdwIYny36jfMoMzL9UCc0JpFa9uI=;
        b=Pj/ofRz2ZCEv99e0d/uLliT07ZoGZGVA18132gtNnf/iRdfMR5iuz1ncL1tZ11Bzaj
         i0qs6wWOPreSEUgcu2Jq27M3fWi/eQMewlnw9SVupAjbWhSvdK4aZlsyoRQGVA2KNdR9
         GlrMewGb5LEWUvFgNmRkAX+DviLPOFyNwxLSp70wYSijoIjtxFu1LyQqyOD4HMSHCE6j
         prtvAOOG3aQZSReIOMFK9k7iDG6iofFhRRgc8xrKuRU3T1u07nHyxjFw6eFIa8bWF6EC
         WDHLEzYvfofsCJKfWK5W14C7ubbWLzocs4R7M/k0/gZq+nb4+6R9Mh/ZEPiVSCR5q3PY
         +Ong==
X-Gm-Message-State: AODbwcAUbXTZJBlv7IOGp9W+UElkMOeB9NyAnvLIOVvVSBPNeWkUv4Zi
	nfDgt/D5iCgu8GDqia933+F6xQ9yt/IW
X-Received: by 10.107.48.144 with SMTP id w138mr2393408iow.30.1494403278233;
 Wed, 10 May 2017 01:01:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.133.155 with HTTP; Wed, 10 May 2017 01:00:57 -0700 (PDT)
In-Reply-To: 
 <CA+OCxoxHMMzgFCQ8hmMx9AtoYcRpVO2KJqLKJNWMf9=KYEJ7qw@mail.gmail.com>
References: <b6c79719012594bfe674b809337298b1@imp-m.ru>
 <CAG7mmoygGeXaeV9WT3cBtLKf_4qsdFBvivUZyp1pbkxmh3mUkw@mail.gmail.com>
 <CA+OCxoxHMMzgFCQ8hmMx9AtoYcRpVO2KJqLKJNWMf9=KYEJ7qw@mail.gmail.com>
From: Ashesh Vashi <ashesh.vashi@enterprisedb.com>
Date: Wed, 10 May 2017 13:30:57 +0530
Message-ID: 
 <CAG7mmoz8HSMBZcA+mpY_dzkJP6MZbWf44EHh3OBGutRzQDCDXQ@mail.gmail.com>
Subject: Re: security bug (with patch-fix) -- need more
 HTML-escaping for working with tree-nodes
To: Dave Page <dpage@pgadmin.org>
Cc: Andrei Antonov <antonov@imp-m.ru>,
 pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary=001a11444bd48d28af054f26e0b0
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgadmin-hackers>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgadmin-hackers.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@postgresql.org>
List-Post: <mailto:pgadmin-hackers@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgadmin-hackers>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgadmin-hackers>
X-Mailing-List: pgadmin-hackers
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--001a11444bd48d28af054f26e0b0
Content-Type: text/plain; charset=UTF-8

On Wed, May 10, 2017 at 1:29 PM, Dave Page <dpage@pgadmin.org> wrote:

>
>
> On Wed, May 10, 2017 at 8:56 AM, Ashesh Vashi <
> ashesh.vashi@enterprisedb.com> wrote:
>
>> Thanks.
>> Committed!
>>
>
> I agree with the change from a preventative/safety perspective, though I'm
> struggling to classify it as a security issue, given that collections are
> always named by the code and not from user input.
>
> Am I missing something?
>
True - but not the case with the server-group.
It is a collection node, still has it's own label.

-- Thanks, Ashesh

>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

--001a11444bd48d28af054f26e0b0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On W=
ed, May 10, 2017 at 1:29 PM, Dave Page <span dir=3D"ltr">&lt;<a href=3D"mai=
lto:dpage@pgadmin.org" target=3D"_blank">dpage@pgadmin.org</a>&gt;</span> w=
rote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;borde=
r-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><br><div class=3D"=
gmail_extra"><br><div class=3D"gmail_quote">On Wed, May 10, 2017 at 8:56 AM=
, Ashesh Vashi <span dir=3D"ltr">&lt;<a href=3D"mailto:ashesh.vashi@enterpr=
isedb.com" target=3D"_blank">ashesh.vashi@enterprisedb.com</a><wbr>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">Thanks.<div>C=
ommitted!</div></div></blockquote><div><br></div><div>I agree with the chan=
ge from a preventative/safety perspective, though I&#39;m struggling to cla=
ssify it as a security issue, given that collections are always named by th=
e code and not from user input.=C2=A0</div></div><br clear=3D"all"><div>Am =
I missing something?</div></div></div></blockquote><div>True - but not the =
case with the server-group.</div><div>It is a collection node, still has it=
&#39;s own label.</div><div><br></div><div>-- Thanks, Ashesh=C2=A0</div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra"><sp=
an class=3D"HOEnZb"><font color=3D"#888888"><div><br></div>-- <br><div clas=
s=3D"m_-4259583465247071246gmail_signature" data-smartmail=3D"gmail_signatu=
re">Dave Page<br>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"_b=
lank">http://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br><br>Enterpris=
eDB UK: <a href=3D"http://www.enterprisedb.com" target=3D"_blank">http://ww=
w.enterprisedb.com</a><br>The Enterprise PostgreSQL Company<br></div>
</font></span></div></div>
</blockquote></div><br></div></div>

--001a11444bd48d28af054f26e0b0--