Fix unsafe schema lookups for types. Fixes #1728
parent
345ce1b6d2
commit
11e486f96d
|
@ -906,12 +906,13 @@ class TypeView(PGChildNodeView, DataTypeReader):
|
||||||
if not status:
|
if not status:
|
||||||
return internal_server_error(errormsg=res)
|
return internal_server_error(errormsg=res)
|
||||||
|
|
||||||
# we need scid to update in browser tree
|
if 'schema' in data:
|
||||||
SQL = render_template("/".join([self.template_path,
|
# we need scid to update in browser tree
|
||||||
'get_scid.sql']), tname=data['name'])
|
SQL = render_template("/".join([self.template_path,
|
||||||
status, scid = self.conn.execute_scalar(SQL)
|
'get_scid.sql']), schema=data['schema'])
|
||||||
if not status:
|
status, scid = self.conn.execute_scalar(SQL)
|
||||||
return internal_server_error(errormsg=scid)
|
if not status:
|
||||||
|
return internal_server_error(errormsg=scid)
|
||||||
|
|
||||||
# we need oid to to add object in tree at browser
|
# we need oid to to add object in tree at browser
|
||||||
SQL = render_template("/".join([self.template_path,
|
SQL = render_template("/".join([self.template_path,
|
||||||
|
@ -956,7 +957,7 @@ class TypeView(PGChildNodeView, DataTypeReader):
|
||||||
return internal_server_error(errormsg=res)
|
return internal_server_error(errormsg=res)
|
||||||
|
|
||||||
SQL = render_template("/".join([self.template_path,
|
SQL = render_template("/".join([self.template_path,
|
||||||
'get_scid.sql']), tname=data['name'])
|
'get_scid.sql']), tid=tid)
|
||||||
|
|
||||||
# Get updated schema oid
|
# Get updated schema oid
|
||||||
status, scid = self.conn.execute_scalar(SQL)
|
status, scid = self.conn.execute_scalar(SQL)
|
||||||
|
|
|
@ -1,6 +1,15 @@
|
||||||
|
{% if tid %}
|
||||||
SELECT
|
SELECT
|
||||||
t.typnamespace as scid
|
t.typnamespace as scid
|
||||||
FROM
|
FROM
|
||||||
pg_type t
|
pg_type t
|
||||||
WHERE
|
WHERE
|
||||||
t.typname = {{tname|qtLiteral}}::text;
|
t.oid = {{tid}}::oid;
|
||||||
|
{% else %}
|
||||||
|
SELECT
|
||||||
|
ns.oid as scid
|
||||||
|
FROM
|
||||||
|
pg_namespace ns
|
||||||
|
WHERE
|
||||||
|
ns.nspname = {{schema|qtLiteral}}::text;
|
||||||
|
{% endif %}
|
||||||
|
|
Loading…
Reference in New Issue