Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

Поиск
Список
Период
Сортировка
От Dave Page
Тема Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually
Дата
Msg-id 4A076831-1759-4F38-B8FA-38C5C2AE742A@pgadmin.org
обсуждение исходный текст
Ответ на pgAdmin 4 commit: Don't quote variable values used by SET. It'susually  (Dave Page <dpage@pgadmin.org>)
Ответы Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually
Список pgadmin-hackers
Дерево обсуждения
Hi

On 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

Hi Dave,

There is a possibility of SQL Injection (if we don't use qtLiteral.
We need some kind of check for this.

What do you say?

The user is already logged in, and could run the query tool anyway to do anything their privileges allow.

Do you see an escalation vector that I’m missing?

I re-added the hackers list for any other opinions.



--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company


http://www.linkedin.com/in/asheshvashi


On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage@pgadmin.org> wrote:
Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027

Branch
------
master

Details
-------
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789

Modified Files
--------------
.../databases/schemas/templates/macros/functions/variable.macros      | 2 +-
.../browser/server_groups/servers/templates/macros/variable.macros    | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)


В списке pgadmin-hackers по дате отправления:

Предыдущее
От: Joao De Almeida Pereira
Дата:
Сообщение: [pgadmin][patch] [GreenPlum] When user press Explain Plan and Explainanalyze plan an error is displayed
Следующее
От: Ashesh Vashi
Дата:
Сообщение: Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually