public inbox for [email protected]
help / color / mirror / Atom feedFrom: Ashesh Vashi <[email protected]>
To: Dave Page <[email protected]>
Cc: Khushboo Vashi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: [pgAdmin4][Patch]: Fixed RM 1603 & RM 1220
Date: Sat, 15 Oct 2016 09:26:33 +0530
Message-ID: <CAG7mmozC2SyM=XfJEn6a4w93dFEzhHV-9re6BMst4GD7EO-6qQ@mail.gmail.com> (raw)
In-Reply-To: <CA+OCxoz8pmhgEwF-q3ob9pdOwhOL0D5hPrrpVApw1JFbgbFf6w@mail.gmail.com>
References: <CAFOhELebFb=ceHh2bhRFE6awSx1LGW9EYaqC7AfkmEaWnPXXig@mail.gmail.com>
<CA+OCxoz8pmhgEwF-q3ob9pdOwhOL0D5hPrrpVApw1JFbgbFf6w@mail.gmail.com>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgadmin-hackers>
On Sat, Oct 15, 2016 at 4:59 AM, Dave Page <[email protected]> wrote:
> Hi
>
> On Friday, October 14, 2016, Khushboo Vashi <khushboo.vashi@enterprisedb.
> com> wrote:
>
>> Hi,
>>
>> Please find the attached patch to fix the below 2 bugs.
>>
>> RM 1603: [Web Based] Export database failed if object contains double
>> quotes.
>> RM 1220: Backup database is not working with special characters
>>
>> The issues which were fixed:
>>
>> 1. Client side data were not unescaped
>> 2. Required command line arguments were quoted twice
>>
>
> This is not working for me: I tested using Table Export as per Fahar's
> instructions. As I'm in desktop mode, the first problem was that we get an
> error at line 210 of import_export/__init__.py, because
> get_server_directory returned None for the directory. If I fix that, then
> the job says it's created, but as far as I can see, nothing else happens.
>
hmm..
>
> Secondly, this patch seems to push quoting responsibilty to the front end.
>
No - that's not the case, we're using _.escape(..) function on the node's
label to fix the issue of XSS vulnerability on client side.
Hence - during sending back the data, we're using _.unescape(..) function
to return the same data coming sent by the server.
Though - IIRC - we have a original label stored in another variable
'_label', which we can use it instead of unescape it again.
> This doesn't seem right, because we might want to use the RESTful APIs for
> another purpose in the future, which would mean needing to re-implement
> quoting if something else uses an affected API.
>
As I explained above, it wont affect the RESTful API.
--
Thanks & Regards,
Ashesh Vashi
>
> Thanks.
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
>
view thread (11+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: [pgAdmin4][Patch]: Fixed RM 1603 & RM 1220
In-Reply-To: <CAG7mmozC2SyM=XfJEn6a4w93dFEzhHV-9re6BMst4GD7EO-6qQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox