Fix unsafe schema lookups for types. Fixes #1728

pull/3/head
Surinder Kumar 2016-10-18 11:32:43 +01:00 committed by Dave Page
parent 345ce1b6d2
commit 11e486f96d
2 changed files with 18 additions and 8 deletions

View File

@ -906,12 +906,13 @@ class TypeView(PGChildNodeView, DataTypeReader):
if not status: if not status:
return internal_server_error(errormsg=res) return internal_server_error(errormsg=res)
# we need scid to update in browser tree if 'schema' in data:
SQL = render_template("/".join([self.template_path, # we need scid to update in browser tree
'get_scid.sql']), tname=data['name']) SQL = render_template("/".join([self.template_path,
status, scid = self.conn.execute_scalar(SQL) 'get_scid.sql']), schema=data['schema'])
if not status: status, scid = self.conn.execute_scalar(SQL)
return internal_server_error(errormsg=scid) if not status:
return internal_server_error(errormsg=scid)
# we need oid to to add object in tree at browser # we need oid to to add object in tree at browser
SQL = render_template("/".join([self.template_path, SQL = render_template("/".join([self.template_path,
@ -956,7 +957,7 @@ class TypeView(PGChildNodeView, DataTypeReader):
return internal_server_error(errormsg=res) return internal_server_error(errormsg=res)
SQL = render_template("/".join([self.template_path, SQL = render_template("/".join([self.template_path,
'get_scid.sql']), tname=data['name']) 'get_scid.sql']), tid=tid)
# Get updated schema oid # Get updated schema oid
status, scid = self.conn.execute_scalar(SQL) status, scid = self.conn.execute_scalar(SQL)

View File

@ -1,6 +1,15 @@
{% if tid %}
SELECT SELECT
t.typnamespace as scid t.typnamespace as scid
FROM FROM
pg_type t pg_type t
WHERE WHERE
t.typname = {{tname|qtLiteral}}::text; t.oid = {{tid}}::oid;
{% else %}
SELECT
ns.oid as scid
FROM
pg_namespace ns
WHERE
ns.nspname = {{schema|qtLiteral}}::text;
{% endif %}