Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

2018-02-05 Thread Dave Page 
On Mon, Feb 5, 2018 at 2:26 AM, Ashesh Vashi 
wrote:

> On Mon, Feb 5, 2018 at 1:35 AM, Dave Page  wrote:
>
>> Hi
>>
>> On 4 Feb 2018, at 18:07, Ashesh Vashi 
>> wrote:
>>
>> Hi Dave,
>>
>> There is a possibility of SQL Injection (if we don't use qtLiteral.
>> We need some kind of check for this.
>>
>> What do you say?
>>
>>
>> The user is already logged in, and could run the query tool anyway to do
>> anything their privileges allow.
>>
> That's always there.
>

Yes.


>
>> Do you see an escalation vector that I’m missing?
>>
> I think - user can add any value (with space) for the variable of text
> type.
>
> So - we need a mechanism to transform the value in a proper manner.
>

You are missing my point. The user is already logged in and can run any
queries their privileges allow. In virtually all cases in pgAdmin, we let
the database server validate input (we only ever quote things), because
it's often extremely difficult to do (think stored procedures for example).

Can the user *escalate* their privileges through this feature, or does it
just give them a somewhat bizarre way of running a query that they could
run anyway?

I don't think so, but am I missing something?



>
> -- Thanks,
> Ashesh Vashi
>
>>
>>
>
>> I re-added the hackers list for any other opinions.
>>
>>
>>
>> --
>>
>> Thanks & Regards,
>>
>> Ashesh Vashi
>> EnterpriseDB INDIA: Enterprise PostgreSQL Company
>> 
>>
>>
>> *http://www.linkedin.com/in/asheshvashi*
>> 
>>
>> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page  wrote:
>>
>>> Don't quote variable values used by SET. It's usually going to be wrong.
>>> Fixes #3027
>>>
>>> Branch
>>> --
>>> master
>>>
>>> Details
>>> ---
>>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif
>>> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>>
>>> Modified Files
>>> --
>>> .../databases/schemas/templates/macros/functions/variable.macros  |
>>> 2 +-
>>> .../browser/server_groups/servers/templates/macros/variable.macros|
>>> 4 ++--
>>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>>
>>>
>>
>


-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

2018-02-04 Thread Ashesh Vashi 
On Mon, Feb 5, 2018 at 1:35 AM, Dave Page  wrote:

> Hi
>
> On 4 Feb 2018, at 18:07, Ashesh Vashi 
> wrote:
>
> Hi Dave,
>
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
>
> What do you say?
>
>
> The user is already logged in, and could run the query tool anyway to do
> anything their privileges allow.
>
That's always there.

>
> Do you see an escalation vector that I’m missing?
>
I think - user can add any value (with space) for the variable of text type.

So - we need a mechanism to transform the value in a proper manner.

-- Thanks,
Ashesh Vashi

>
>

> I re-added the hackers list for any other opinions.
>
>
>
> --
>
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> 
>
>
> *http://www.linkedin.com/in/asheshvashi*
> 
>
> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page  wrote:
>
>> Don't quote variable values used by SET. It's usually going to be wrong.
>> Fixes #3027
>>
>> Branch
>> --
>> master
>>
>> Details
>> ---
>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif
>> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>
>> Modified Files
>> --
>> .../databases/schemas/templates/macros/functions/variable.macros  |
>> 2 +-
>> .../browser/server_groups/servers/templates/macros/variable.macros|
>> 4 ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>>
>

Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

2018-02-04 Thread Dave Page 
Hi

> On 4 Feb 2018, at 18:07, Ashesh Vashi  wrote:
> 
> Hi Dave,
> 
> There is a possibility of SQL Injection (if we don't use qtLiteral.
> We need some kind of check for this.
> 
> What do you say?

The user is already logged in, and could run the query tool anyway to do 
anything their privileges allow.

Do you see an escalation vector that I’m missing?

I re-added the hackers list for any other opinions.

> 
> 
> --
> Thanks & Regards,
> 
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> 
> http://www.linkedin.com/in/asheshvashi
> 
>> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page  wrote:
>> Don't quote variable values used by SET. It's usually going to be wrong. 
>> Fixes #3027
>> 
>> Branch
>> --
>> master
>> 
>> Details
>> ---
>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>> 
>> Modified Files
>> --
>> .../databases/schemas/templates/macros/functions/variable.macros  | 2 +-
>> .../browser/server_groups/servers/templates/macros/variable.macros| 4 
>> ++--
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>> 
>

pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

2018-02-02 Thread Dave Page 
Don't quote variable values used by SET. It's usually going to be wrong. Fixes 
#3027

Branch
--
master

Details
---
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=4d69764869bf9d1731d61d15a290388d5bd0f789

Modified Files
--
.../databases/schemas/templates/macros/functions/variable.macros  | 2 +-
.../browser/server_groups/servers/templates/macros/variable.macros| 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)