HiOn 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:Hi Dave,There is a possibility of SQL Injection (if we don't use qtLiteral.We need some kind of check for this.What do you say?The user is already logged in, and could run the query tool anyway to do anything their privileges allow.
Hi Dave,There is a possibility of SQL Injection (if we don't use qtLiteral.We need some kind of check for this.What do you say?
Do you see an escalation vector that I’m missing?
I re-added the hackers list for any other opinions.--Thanks & Regards,Ashesh VashiEnterpriseDB INDIA: Enterprise PostgreSQL Companyhttp://www.linkedin.com/in/asheshvashiOn Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage@pgadmin.org> wrote:Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027 Branch ------ master Details -------https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789 Modified Files -------------- .../databases/schemas/templates/macros/functions/variable.macros | 2 +- .../browser/server_groups/servers/templates/macros/variable.macros | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
--Thanks & Regards,Ashesh VashiEnterpriseDB INDIA: Enterprise PostgreSQL Companyhttp://www.linkedin.com/in/asheshvashiOn Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage@pgadmin.org> wrote:Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027 Branch ------ master Details -------https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789 Modified Files -------------- .../databases/schemas/templates/macros/functions/variable.macros | 2 +- .../browser/server_groups/servers/templates/macros/variable.macros | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
--
Thanks & Regards,Ashesh VashiEnterpriseDB INDIA: Enterprise PostgreSQL Company
http://www.linkedin.com/in/asheshvashi
Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027 Branch ------ master Details -------https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789 Modified Files -------------- .../databases/schemas/templates/macros/functions/variable.macros | 2 +- .../browser/server_groups/servers/templates/macros/variable.macros | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
pgadmin-hackers by date:
Соглашаюсь с условиями обработки персональных данных