Thread: Re: [BUGS] BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password

Akshay, can you look into the quoting problem please.

On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
>> (forwarding to pgadmin-hackers)
>
> Ah.
>
>> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> >>but when the credential contains the delimiter (colon) it fails to be
>> >>read back out and app responds with "invalid credentials".
>> >>
>> >>x.x.x.x:5432:*:username:password:with:colons
>> >
>> >Per the fine documentation, you need to escape any such usage with a
>> >backslash.  Please review:
>>
>> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>> check the "store password" checkbox in the connection dialog. And
>> apparantly pgadmin3 doesn't do that escaping properly.
>
> Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)
>
>         Thanks,
>
>                 Stephen

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Sure.

On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:

Akshay, can you look into the quoting problem please.

On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
>> (forwarding to pgadmin-hackers)
>
> Ah.
>
>> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> >>but when the credential contains the delimiter (colon) it fails to be
>> >>read back out and app responds with "invalid credentials".
>> >>
>> >>x.x.x.x:5432:*:username:password:with:colons
>> >
>> >Per the fine documentation, you need to escape any such usage with a
>> >backslash.  Please review:
>>
>> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>> check the "store password" checkbox in the connection dialog. And
>> apparantly pgadmin3 doesn't do that escaping properly.
>
> Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)
>
>         Thanks,
>
>                 Stephen

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

Thanks Akshay. Dhiraj, can you review please? I'm a little busy right now.

Thanks.

On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave 

I have fixed the escaping issue and tested it. It works fine for me. Attached is the patch file, can you please review it.

If code looks good to you, can you please commit the code.  

On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Sure.

On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:

Akshay, can you look into the quoting problem please.

On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
>> (forwarding to pgadmin-hackers)
>
> Ah.
>
>> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> >>but when the credential contains the delimiter (colon) it fails to be
>> >>read back out and app responds with "invalid credentials".
>> >>
>> >>x.x.x.x:5432:*:username:password:with:colons
>> >
>> >Per the fine documentation, you need to escape any such usage with a
>> >backslash.  Please review:
>>
>> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>> check the "store password" checkbox in the connection dialog. And
>> apparantly pgadmin3 doesn't do that escaping properly.
>
> Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)
>
>         Thanks,
>
>                 Stephen

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Hi Akshay,

I have reviewed the patch and tested it as well on the Linux platform. The patch looks good to me. It is working as expected.

regards,

Dhiraj Chawla
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL Company

Phone: +91-20-30589522

On Tue, May 20, 2014 at 5:58 PM, Dhiraj Chawla <dhiraj.chawla@enterprisedb.com> wrote:

Sure Dave. I will review the patch and update accordingly.

regards,

Dhiraj Chawla
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL Company

Phone: +91-20-30589522

On Fri, May 16, 2014 at 1:53 PM, Dave Page <dpage@pgadmin.org> wrote:

Thanks Akshay. Dhiraj, can you review please? I'm a little busy right now.

Thanks.

On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave 

I have fixed the escaping issue and tested it. It works fine for me. Attached is the patch file, can you please review it.

If code looks good to you, can you please commit the code.  

On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Sure.

On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:

Akshay, can you look into the quoting problem please.

On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
>> (forwarding to pgadmin-hackers)
>
> Ah.
>
>> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> >>but when the credential contains the delimiter (colon) it fails to be
>> >>read back out and app responds with "invalid credentials".
>> >>
>> >>x.x.x.x:5432:*:username:password:with:colons
>> >
>> >Per the fine documentation, you need to escape any such usage with a
>> >backslash.  Please review:
>>
>> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>> check the "store password" checkbox in the connection dialog. And
>> apparantly pgadmin3 doesn't do that escaping properly.
>
> Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)
>
>         Thanks,
>
>                 Stephen

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--

Akshay Joshi

Principal Software Engineer 

Phone: +91 20-3058-9517
Mobile: +91 976-788-8246

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company