On Mon, Feb 5, 2018 at 1:35 AM, Dave Page <dp...@pgadmin.org> wrote: > Hi > > On 4 Feb 2018, at 18:07, Ashesh Vashi <ashesh.va...@enterprisedb.com> > wrote: > > Hi Dave, > > There is a possibility of SQL Injection (if we don't use qtLiteral. > We need some kind of check for this. > > What do you say? > > > The user is already logged in, and could run the query tool anyway to do > anything their privileges allow. > That's always there.
> > Do you see an escalation vector that I’m missing? > I think - user can add any value (with space) for the variable of text type. So - we need a mechanism to transform the value in a proper manner. -- Thanks, Ashesh Vashi > > > I re-added the hackers list for any other opinions. > > > > -- > > Thanks & Regards, > > Ashesh Vashi > EnterpriseDB INDIA: Enterprise PostgreSQL Company > <http://www.enterprisedb.com> > > > *http://www.linkedin.com/in/asheshvashi* > <http://www.linkedin.com/in/asheshvashi> > > On Fri, Feb 2, 2018 at 7:28 PM, Dave Page <dp...@pgadmin.org> wrote: > >> Don't quote variable values used by SET. It's usually going to be wrong. >> Fixes #3027 >> >> Branch >> ------ >> master >> >> Details >> ------- >> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif >> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789 >> >> Modified Files >> -------------- >> .../databases/schemas/templates/macros/functions/variable.macros | >> 2 +- >> .../browser/server_groups/servers/templates/macros/variable.macros | >> 4 ++-- >> 2 files changed, 3 insertions(+), 3 deletions(-) >> >> >
