Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually
| От | Dave Page |
|---|---|
| Тема | Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually |
| Дата | |
| Msg-id | 4A076831-1759-4F38-B8FA-38C5C2AE742A@pgadmin.org обсуждение исходный текст |
| Ответ на | pgAdmin 4 commit: Don't quote variable values used by SET. It'susually (Dave Page <dpage@pgadmin.org>) |
| Ответы |
Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually
|
| Список | pgadmin-hackers |
Hi
Hi Dave,There is a possibility of SQL Injection (if we don't use qtLiteral.We need some kind of check for this.What do you say?
The user is already logged in, and could run the query tool anyway to do anything their privileges allow.
Do you see an escalation vector that I’m missing?
I re-added the hackers list for any other opinions.
On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dpage@pgadmin.org> wrote:Don't quote variable values used by SET. It's usually going to be wrong. Fixes #3027
Branch
------
master
Details
-------
https://git.postgresql.org/gitweb?p=pgadmin4.git;a= commitdiff;h= 4d69764869bf9d1731d61d15a29038 8d5bd0f789
Modified Files
--------------
.../databases/schemas/templates/macros/functions/ variable.macros | 2 +-
.../browser/server_groups/servers/templates/macros/ variable.macros | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
В списке pgadmin-hackers по дате отправления: