Re: Re: [BUGS] BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password

From: Dave Page <dpage(at)pgadmin(dot)org>
To: Dhiraj Chawla <dhiraj(dot)chawla(at)enterprisedb(dot)com>
Cc: Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, dlo(at)isam(dot)kiwi, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: Re: [BUGS] BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password
Date: 2014-05-28 11:47:52
Message-ID: CA+OCxoyh3jVNxiioiumiDjoF2ef1rJ4gzkrC3w45mZhFNRZ_mg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-hackers pgsql-bugs

Thanks - patch applied.

On Thu, May 22, 2014 at 6:17 AM, Dhiraj Chawla <
dhiraj(dot)chawla(at)enterprisedb(dot)com> wrote:

> Hi Akshay,
>
> I have reviewed the patch and tested it as well on the Linux platform. The
> patch looks good to me. It is working as expected.
>
> regards,
>
> *Dhiraj Chawla*
> Senior Software Engineer
> EnterpriseDB Corporation
> The Enterprise PostgreSQL Company
>
> Phone: +91-20-30589522
>
>
> On Tue, May 20, 2014 at 5:58 PM, Dhiraj Chawla <
> dhiraj(dot)chawla(at)enterprisedb(dot)com> wrote:
>
>> Sure Dave. I will review the patch and update accordingly.
>>
>> regards,
>>
>> *Dhiraj Chawla*
>> Senior Software Engineer
>> EnterpriseDB Corporation
>> The Enterprise PostgreSQL Company
>>
>> Phone: +91-20-30589522
>>
>>
>> On Fri, May 16, 2014 at 1:53 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>
>>> Thanks Akshay. Dhiraj, can you review please? I'm a little busy right
>>> now.
>>>
>>> Thanks.
>>>
>>>
>>> On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <
>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi Dave
>>>>
>>>> I have fixed the escaping issue and tested it. It works fine for me.
>>>> Attached is the patch file, can you please review it.
>>>> If code looks good to you, can you please commit the code.
>>>>
>>>>
>>>> On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <
>>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>>
>>>>> Sure.
>>>>>
>>>>>
>>>>> On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>>>>
>>>>>> Akshay, can you look into the quoting problem please.
>>>>>>
>>>>>> On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost(at)snowman(dot)net>
>>>>>> wrote:
>>>>>> > * Heikki Linnakangas (hlinnakangas(at)vmware(dot)com) wrote:
>>>>>> >> (forwarding to pgadmin-hackers)
>>>>>> >
>>>>>> > Ah.
>>>>>> >
>>>>>> >> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>>>>>> >> >* dlo(at)isam(dot)kiwi (dlo(at)isam(dot)kiwi) wrote:
>>>>>> >> >>but when the credential contains the delimiter (colon) it fails
>>>>>> to be
>>>>>> >> >>read back out and app responds with "invalid credentials".
>>>>>> >> >>
>>>>>> >> >>x.x.x.x:5432:*:username:password:with:colons
>>>>>> >> >
>>>>>> >> >Per the fine documentation, you need to escape any such usage
>>>>>> with a
>>>>>> >> >backslash. Please review:
>>>>>> >>
>>>>>> >> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>>>>>> >> check the "store password" checkbox in the connection dialog. And
>>>>>> >> apparantly pgadmin3 doesn't do that escaping properly.
>>>>>> >
>>>>>> > Wow, that's pretty rough. Hopefully they'll be able to fix it
>>>>>> soon. :)
>>>>>> >
>>>>>> > Thanks,
>>>>>> >
>>>>>> > Stephen
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Dave Page
>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>> Twitter: @pgsnake
>>>>>>
>>>>>> EnterpriseDB UK: http://www.enterprisedb.com
>>>>>> The Enterprise PostgreSQL Company
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Akshay Joshi*
>>>>> *Principal Software Engineer *
>>>>>
>>>>>
>>>>>
>>>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91
>>>>> 976-788-8246 <%2B91%20976-788-8246>*
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> *Akshay Joshi*
>>>> *Principal Software Engineer *
>>>>
>>>>
>>>>
>>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91
>>>> 976-788-8246 <%2B91%20976-788-8246>*
>>>>
>>>
>>>
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EnterpriseDB UK: http://www.enterprisedb.com
>>> The Enterprise PostgreSQL Company
>>>
>>
>>
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Browse pgadmin-hackers by date

  From Date Subject
Next Message Dave Page 2014-05-28 11:49:31 pgAdmin III commit: Fix a potential crash in the debugger.
Previous Message Dave Page 2014-05-28 11:45:55 pgAdmin III commit: Fix escape handling in pgpass files.

Browse pgsql-bugs by date

  From Date Subject
Next Message Artiom Makarov 2014-05-28 12:04:32 pl/pgsql incorrect syntax checking on select .... into ... ?
Previous Message yosxpe23 2014-05-28 09:47:42 Re: BUG #8470: 9.3 locking/subtransaction performance regression