Re: pgAdmin 4 commit: Don't quote variable values used by SET. It's usually

[Dave Page]

On Mon, Feb 5, 2018 at 2:26 AM, Ashesh Vashi 
wrote:

> On Mon, Feb 5, 2018 at 1:35 AM, Dave Page  wrote:
>
>> Hi
>>
>> On 4 Feb 2018, at 18:07, Ashesh Vashi 
>> wrote:
>>
>> Hi Dave,
>>
>> There is a possibility of SQL Injection (if we don't use qtLiteral.
>> We need some kind of check for this.
>>
>> What do you say?
>>
>>
>> The user is already logged in, and could run the query tool anyway to do
>> anything their privileges allow.
>>
> That's always there.
>

Yes.


>
>> Do you see an escalation vector that I’m missing?
>>
> I think - user can add any value (with space) for the variable of text
> type.
>
> So - we need a mechanism to transform the value in a proper manner.
>

You are missing my point. The user is already logged in and can run any
queries their privileges allow. In virtually all cases in pgAdmin, we let
the database server validate input (we only ever quote things), because
it's often extremely difficult to do (think stored procedures for example).

Can the user *escalate* their privileges through this feature, or does it
just give them a somewhat bizarre way of running a query that they could
run anyway?

I don't think so, but am I missing something?



>
> -- Thanks,
> Ashesh Vashi
>
>>
>>
>
>> I re-added the hackers list for any other opinions.
>>
>>
>>
>> --
>>
>> Thanks & Regards,
>>
>> Ashesh Vashi
>> EnterpriseDB INDIA: Enterprise PostgreSQL Company
>> 
>>
>>
>> *http://www.linkedin.com/in/asheshvashi*
>> 
>>
>> On Fri, Feb 2, 2018 at 7:28 PM, Dave Page  wrote:
>>
>>> Don't quote variable values used by SET. It's usually going to be wrong.
>>> Fixes #3027
>>>
>>> Branch
>>> --
>>> master
>>>
>>> Details
>>> ---
>>> https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdif
>>> f;h=4d69764869bf9d1731d61d15a290388d5bd0f789
>>>
>>> Modified Files
>>> --
>>> .../databases/schemas/templates/macros/functions/variable.macros  |
>>> 2 +-
>>> .../browser/server_groups/servers/templates/macros/variable.macros|
>>> 4 ++--
>>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>>
>>>
>>
>


-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: [pgAdmin4][RM#3082] Fix PEP-8 issues

[Dave Page]

Hi

On Fri, Feb 2, 2018 at 5:46 PM, Murtuza Zabuawala <
murtuza.zabuaw...@enterprisedb.com> wrote:

> Hi,
>
> PFA patch to fix PEP-8 issues in feature_tests, dashboard, about and misc
> module's python code.
>
> To verify the changes,
> 1) activate virtual environemt
> 2) Navigate to ../web directory and run following
> pycodestyle --config=.pycodestyle ./pgadmin/misc/
> pycodestyle --config=.pycodestyle ./pgadmin/about/
> pycodestyle --config=.pycodestyle ./pgadmin/dashboard/
> pycodestyle --config=.pycodestyle ./pgadmin/feature_tests/
>

I seem to be getting the following failure pretty consistently with this
patch applied:

==
ERROR: runTest
(pgadmin.feature_tests.pg_datatype_validation_test.PGDataypeFeatureTest)
Test checks for PG data-types output
--
Traceback (most recent call last):
  File
"/Users/dpage/git/pgadmin4/web/pgadmin/feature_tests/pg_datatype_validation_test.py",
line 135, in runTest
self._check_datatype()
  File
"/Users/dpage/git/pgadmin4/web/pgadmin/feature_tests/pg_datatype_validation_test.py",
line 161, in _check_datatype
query = self.construct_select_query(batch)
  File
"/Users/dpage/git/pgadmin4/web/pgadmin/feature_tests/pg_datatype_validation_test.py",
line 214, in construct_select_query
if not self._is_datatype_available_in_current_database(datatype):
  File
"/Users/dpage/git/pgadmin4/web/pgadmin/feature_tests/pg_datatype_validation_test.py",
line 252, in _is_datatype_available_in_current_database
valid_version = self.database_version >= type_minimum_version[datatype]
KeyError: u''

--
Ran 10 tests in 209.730s

FAILED (errors=1, skipped=1)

==
Test Result Summary
==

Regression - PG 10:

8 tests passed
1 test failed:
PGDataypeFeatureTest (Test checks for PG data-types output)
1 test skipped:
CheckDebuggerForXssFeatureTest (Tests to check if Debugger is vulnerable to
XSS)

==

I also got the following whilst testing:

(pgadmin4)piranha:web dpage$ pycodestyle --config=.pycodestyle
./pgadmin/feature_tests/
./pgadmin/feature_tests/keyboard_shortcut_test.py:33: [E501] line too long
(95 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:34: [E501] line too long
(95 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:42: [E501] line too long
(87 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:51: [E501] line too long
(114 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:54: [E501] line too long
(90 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:69: [E501] line too long
(91 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:75: [E501] line too long
(89 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:82: [E501] line too long
(100 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:90: [E501] line too long
(86 > 79 characters)
./pgadmin/feature_tests/keyboard_shortcut_test.py:95: [W391] blank line at
end of file
9   E501 line too long (95 > 79 characters)
1   W391 blank line at end of file
10

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgAdmin 4 commit: Rewrite the runtime as a tray-based server which can

[Dave Page]

Rewrite the runtime as a tray-based server which can launch a web browser. 
Fixes #3086

Branch
--
master

Details
---
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=7192a2b67502b2afbad9e88cd3fc4618e7e64da1

Modified Files
--
.gitignore|2 +-
Make-MinGW.bat|  497 -
Make.bat  |  237 ++-
Makefile  |3 -
README|   18 +-
docs/en_US/desktop_deployment.rst |   12 +-
docs/en_US/getting_started.rst|   10 +-
docs/en_US/index.rst  |6 +-
docs/en_US/keyboard_shortcuts.rst |   28 +-
pkg/docker/build.sh   |4 +-
pkg/mac/build.sh  |8 +-
pkg/mac/complete-bundle.sh|7 -
runtime/BrowserWindow.cpp | 1377 -
runtime/BrowserWindow.h   |  170 -
runtime/BrowserWindow.ui  |   37 -
runtime/ConfigWindow.cpp  |   10 +
runtime/ConfigWindow.h|3 +-
runtime/ConfigWindow.ui   |  222 +-
runtime/Info.plist|2 +
runtime/LogWindow.cpp |   88 +++
runtime/LogWindow.h   |   40 ++
runtime/LogWindow.ui  |  106 +++
runtime/Server.cpp|9 +-
runtime/Server.h  |9 +-
runtime/TabWindow.cpp |  713 ---
runtime/TabWindow.h   |  188 -
runtime/TrayIcon.cpp  |  244 +++
runtime/TrayIcon.h|   61 ++
runtime/WebViewWindow.cpp |  195 --
runtime/WebViewWindow.h   |   95 ---
runtime/pgAdmin4-mac.png  |  Bin 0 -> 81551 bytes
runtime/pgAdmin4.cpp  |  355 +-
runtime/pgAdmin4.h|3 +
runtime/pgAdmin4.png  |  Bin 0 -> 99482 bytes
runtime/pgAdmin4.pro  |   65 +-
runtime/pgAdmin4.qrc  |3 +-
runtime/qss/pgadmin4.qss  |3 -
37 files changed, 1021 insertions(+), 3809 deletions(-)

Build failed in Jenkins: pgadmin4-master-python27-feature #13

[pgAdmin 4 Jenkins]

See 


Changes:

[Dave Page] Fix layout of password prompt dialogue. Fixes #2684

[Dave Page] Fix quoting of index column names on tables. Fixes #2619

[Dave Page] Initial draft of the 2.0 release notes.

[Ashesh Vashi] Replacing existing browser tree node png icons with the svg 
icons. Made

[Ashesh Vashi] Changes in the stylesheets to support the svg icons for the 
browser tree

[Ashesh Vashi] Miscellaneous fixes for icon sizing issue, missing tree nodes to 
be

[Ashesh Vashi] Rename the SecurityGroupUnderSchema to SecurityGroupSchema, and

[Dave Page] Stick with the older Flask-Script module for Python 2.6

[Dave Page] Remove icons from the menus to de-clutter the UI and make it more

[Dave Page] Bump the build suffix in preparation for release.

[Dave Page] Remove menu icon tests that are no longer required.

[Dave Page] Use wheel==0.29.0 with Python 2.6 and 3.3.

[Dave Page] Add new icons to release notes.

[Ashesh Vashi] Using the svg icons for domain constraint, and server browser 
nodes.

[akshay.joshi] Highlighting greenplum keywords in sql editor

[Dave Page] Run webpack in production mode when building for releases. Fixes 
#2660

[Dave Page] Fix an issue where base types are not displaying in the create/edit

[Dave Page] Fix an issue in User mapping module where users were not listed. 
Fixes

[Dave Page] Update server and database icons with a clearer design.

[Dave Page] Update cast icons with improved design.

[Dave Page] Always pack React in prod mode to avoid a bug in debug mode that

[Dave Page] Bundle fonts with pgAdmin so we have a standard set for all 
platforms.

[Ashesh Vashi] Handle the executor nodes, which are unknown to the Explain 
module,

[Dave Page] Fix filtering of system schemas so pg_* is hidden but pg* is not. 
Fixes

[Dave Page] Replace the "Roboto" font family with "Open Sans" for alertify 
dialogs.

[Dave Page] Fix menu left-hand margin.

[akshay.joshi] Changed array representation and formatting for the data types 
in Query

[Dave Page] Support React v15.5 and later where the code fails to run because

[Dave Page] Ensure builtins.SERVER_MODE is set in the WSGI wrapper.

[Dave Page] Support Flask-Security 3.0

[Dave Page] Fix user manager role handling. Fixes #2641

[Dave Page] Fix error message regexp in the query tool that could fail in some

[Dave Page] Correct alignment of the X button on dismissable alerts.

[Dave Page] Fix tablespace move prompt message. Fixes #2708

[Dave Page] Fix disable trigger menu option. Fixes #2707

[Dave Page] Fix View Data option and column config for Foreign Tables. Fixes 
#2691

[Dave Page] Fix for Exception when the server is restarted. Fixes #2713

[Dave Page] Bump version for RC2 release.

[Dave Page] Remove unused import that was causing a hard error on Windows

[akshay.joshi] Filtered Rows dialog not opened from the context menu. Fixes 
#2699

[Dave Page] Improve display of error messages in the query tool. Fixes #2700

[Dave Page] Fix validation message styling on thegrant wizard. Fixes #2673

[Dave Page] Fix font on alertify dialogues

[Dave Page] Fix an issue where we were executing SELECT statements in 
transactions

[Dave Page] Clarify how virtual envs can be used in WSGI mode, and ensure we 
ship

[Dave Page] Use the correct lexer in the Apache/Windows docs.

[Dave Page] Add the ability to build a basic Docker container.

[Dave Page] Improve icon alignment.

[Ashesh Vashi] Upgraded the font-mfizz to latest version (v:2.4.1) to resolve 
an issue,

[Dave Page] Update release notes.

[Dave Page] Allow selection of SSL certificates and pgpass files in connection

[Dave Page] Dead code cleanup.

[Dave Page] Update release notes.

[Dave Page] Update message catalogs.

[Dave Page] Add missing issue, per Harshal.

[Dave Page] Ensure using an alternate role to connect to a database doesn't 
cause an

[Ashesh Vashi] Using the correct path for the font-mfizz stylesheet.

[Ashesh Vashi] Resolved the logo issue.

[Ashesh Vashi] Remove the reference of font-mfizz completely.

[Ashesh Vashi] Allow to terminate a session from the server, and database 
dashboard.

[Ashesh Vashi] Do not show the terminate session icon in red as per Dave

[Ashesh Vashi] Changed the wording for 'Terminated session successfully'

[Dave Page] Bump version number for release.

[Dave Page] Add missing date.

[Dave Page] Refactor to remove duplicate code for the cancel/terminate buttons 
in

[Dave Page] Ensure HTMLMIN is only used with Python 2.7+

[Dave Page] Remove panels for www.pgadmin.org and www.postgresql.org as they 
won't

[Dave Page] Only allow specification of a pgpass file if libpq >= 10. Fixes 
#2768

[Dave Page] Fix various issues that could cause an exception on startup. Fixes 
#2713

[Dave Page] Remove some unused index directives.

[Dave Page] Add a target for building PDF docs.

[Dave Page] Ensure line numbers form CodeMirror don't appear on top of men

pgAdmin 4 commit: Bump the version to 3.0, per discussion on the mailin

[Dave Page]

Bump the version to 3.0, per discussion on the mailing lists

Branch
--
master

Details
---
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=2706d9cd8e6f98cf543e4e86afe881b8f4b571d3

Modified Files
--
runtime/Info.plist | 4 ++--
web/config.py  | 8 
2 files changed, 6 insertions(+), 6 deletions(-)

pgAdmin 4 commit: Branch refs/heads/runtime-revamp was removed

[git]

Branch refs/heads/runtime-revamp was removed.

suggestion: discard python2.x venv

[Ioseph Kim]

Hi,

I used pgadmin4 since 2 month.

pgadmin4 is a good application for PostgreSQL. that is true!

but, in multibytes environment, python2 + pgadmin4 is not good choice.


if table name or column name is multibytes, export, import is not 
working, because  python2 unicode processing is ugly.


and, if server message is multibytes, pgadmin4 does not display that,  
and there are many other problems so.



I changed venv to python3, most problems of multibytes have been 
resolved smoothly as expected.



we need to narrow its focus.


Regards Ioseph

Re: suggestion: discard python2.x venv

[Khushboo Vashi]

Hi Loseph,


On Tue, Feb 6, 2018 at 9:21 AM, Ioseph Kim  wrote:

> Hi,
>
> I used pgadmin4 since 2 month.
>
> pgadmin4 is a good application for PostgreSQL. that is true!
>
> but, in multibytes environment, python2 + pgadmin4 is not good choice.
>
>
> if table name or column name is multibytes, export, import is not working,
> because  python2 unicode processing is ugly.
>
> and, if server message is multibytes, pgadmin4 does not display that,  and
> there are many other problems so.
>
> Many users have logged bugs in this area and the pgAdmin development team
have been fixing those issues.
Please report your bug @ https://redmine.postgresql.org/projects/pgadmin4 ,
if it's not yet logged.

>
> I changed venv to python3, most problems of multibytes have been resolved
> smoothly as expected.
>
>
> we need to narrow its focus.
>
>
> Regards Ioseph
>
>
> Thanks,
Khushboo

Re: suggestion: discard python2.x venv

[Murtuza Zabuawala]

On Tue, Feb 6, 2018 at 9:21 AM, Ioseph Kim  wrote:

> Hi,
>
> I used pgadmin4 since 2 month.
>
> pgadmin4 is a good application for PostgreSQL. that is true!
>
> but, in multibytes environment, python2 + pgadmin4 is not good choice.
>
>
> if table name or column name is multibytes, export, import is not working,
> because  python2 unicode processing is ugly.
>
> and, if server message is multibytes, pgadmin4 does not display that,  and
> there are many other problems so.
>
>
> I changed venv to python3, most problems of multibytes have been resolved
> smoothly as expected.
>
>
> we need to narrow its focus.
>

​AFAIK we are using Python2.x because many enterprise linux distributions
do not have native support for Python3 in them (from their default repo)
for example CentOS6.x, many versions of Redhat linux etc, Admins have to
download and compile Python3.x manually which adds maintenance of
additional software on their servers (eg manual security updates etc), In
order to support them we are shipping pgAdmin4 with Python2.x, Otherwise
you are correct Python3 will resolve most of the Unicode related issues
which we are currently facing with pgAdmin4.

-- Murtuza
​

>
>
> Regards Ioseph
>
>
>

Re: suggestion: discard python2.x venv

[Ioseph Kim]

Yes, I agree yours.

thinking that,

many pgadmin4 is used on windows, or mac,

pgadmin4 for windows installer is including python2.7.

so many users use the python2 environment, with no choice.

if python3 is used on windows distribution (builtin python3), this will 
is good choice.



Regards, ioseph.


2018년 02월 06일 13:55에 Murtuza Zabuawala 이(가) 쓴 글:


On Tue, Feb 6, 2018 at 9:21 AM, Ioseph Kim > wrote:


Hi,

I used pgadmin4 since 2 month.

pgadmin4 is a good application for PostgreSQL. that is true!

but, in multibytes environment, python2 + pgadmin4 is not good choice.


if table name or column name is multibytes, export, import is not
working, because  python2 unicode processing is ugly.

and, if server message is multibytes, pgadmin4 does not display
that,  and there are many other problems so.


I changed venv to python3, most problems of multibytes have been
resolved smoothly as expected.


we need to narrow its focus.


​AFAIK we are using Python2.x because many enterprise linux 
distributions do not have native support for Python3 in them (from 
their default repo) for example CentOS6.x, many versions of Redhat 
linux etc, Admins have to download and compile Python3.x manually 
which adds maintenance of additional software on their servers (eg 
manual security updates etc), In order to support them we are shipping 
pgAdmin4 with Python2.x, Otherwise you are correct Python3 will 
resolve most of the Unicode related issues which we are currently 
facing with pgAdmin4.


-- Murtuza
​



Regards Ioseph