On Mon, Jan 16, 2017 at 8:42 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi On Sat, Jan 14, 2017 at 2:27 PM, Harshal Dhumal <harshal.dhumal@enterprisedb.com> wrote: > Hi, > > Pls updated patch for RM1911. > > 1. This includes fix for issue index out of range when user enters path of > folder without trailing slash (showed by Dave). > 2. To make this functionality compatible with save last used directory > feature.
- The first test I ran gave the error seen in the attachment (running in server mode, clicking the Browse button on the backup dialogue).
Fixed.
- I also noticed in reviewing the changes again, that you've got code in sqleditor/__init__.py to stop the user moving outside of the storage sandbox in server mode. That code should be part of the file manager - none of the modules using it should be doing that kind of check.
Fixed.
- If I do try to navigate outside of the sandbox, I get a nice error: "Error: Access Denied (/Users/dpage/.pgadmin)" for example, if I enter /../../. Whilst it's good to be informative, it's also a security leak. It should only tell me the path that the user sees, not the path as it actually is on the server - e.g. "Error: Access Denied (/../../../)"