Fix an XSS issue when username contains XSS vulnerable text. Fixes #4386

2019-06-24 16:06:03 +05:30 · 2019-06-24 16:06:03 +05:30 · c39d257bf6
parent b3490ba3de
commit c39d257bf6
7 changed files with 35 additions and 29 deletions
--- a/docs/en_US/release_notes_4_9.rst
+++ b/docs/en_US/release_notes_4_9.rst
@ -40,4 +40,5 @@ Bug fixes
 | `Bug #4365 <https://redmine.postgresql.org/issues/4365>`_ - Fix help links for backup globals and backup server.
 | `Bug #4367 <https://redmine.postgresql.org/issues/4367>`_ - Fix an XSS issue seen in View/Edit data mode if a column name includes HTML.
 | `Bug #4378 <https://redmine.postgresql.org/issues/4378>`_ - Ensure Python escaping matched JS escaping and fix a minor XSS issue in the Query Tool that required superuser access to trigger.
-| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
+| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
+| `Bug #4386 <https://redmine.postgresql.org/issues/4386>`_ - Fix an XSS issue when username contains XSS vulnerable text.
--- a/web/pgadmin/tools/datagrid/static/js/datagrid.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid.js
@ -13,10 +13,10 @@ define('pgadmin.datagrid', [
  'sources/sqleditor_utils', 'backbone',
  'tools/datagrid/static/js/show_data',
  'tools/datagrid/static/js/show_query_tool', 'pgadmin.browser.toolbar',
-  'wcdocker',
+  'tools/datagrid/static/js/datagrid_panel_title', 'wcdocker',
 ], function(
  gettext, url_for, $, _, alertify, pgAdmin, codemirror, sqlEditorUtils,
-  Backbone, showData, showQueryTool, toolBar
+  Backbone, showData, showQueryTool, toolBar, panelTitleFunc
 ) {
  // Some scripts do export their object in the window only.
  // Generally the one, which do no have AMD support.
@ -263,21 +263,7 @@ define('pgadmin.datagrid', [
      launch_grid: function(trans_obj) {
        var self = this,
          panel_title = trans_obj.panel_title,
-          grid_title = trans_obj.panel_title,
-          panel_icon = '',
-          panel_tooltip = '';
-
-        if (trans_obj.is_query_tool == 'false') {
-          // Edit grid titles
-          panel_tooltip = gettext('View/Edit Data - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-table';
-        } else {
-          // Query tool titles
-          panel_tooltip = gettext('Query Tool - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-bolt';
-        }
+          grid_title = trans_obj.panel_title;

        // Open the panel if frame is initialized
        let titileForURLObj = sqlEditorUtils.removeSlashInTheString(grid_title);
@ -313,8 +299,7 @@ define('pgadmin.datagrid', [
          var queryToolPanel = pgBrowser.docker.addPanel('frm_datagrid', wcDocker.DOCK.STACKED, propertiesPanel[0]);

          // Set panel title and icon
-          queryToolPanel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
-          queryToolPanel.icon(panel_icon);
+          panelTitleFunc.setQueryToolDockerTitle(queryToolPanel, trans_obj.is_query_tool, panel_title);
          queryToolPanel.focus();

          // Listen on the panel closed event.
--- a/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
@ -8,6 +8,7 @@
 //////////////////////////////////////////////////////////////

 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
+import gettext from 'sources/gettext';

 function getDatabaseLabel(parentData) {
  return parentData.database ? parentData.database.label
@ -33,3 +34,24 @@ export function getPanelTitle(pgBrowser, selected_item=null) {

  return `${db_label}/${parentData.server.user.name}@${parentData.server.label}`;
 }
+
+export function setQueryToolDockerTitle(panel, is_query_tool, panel_title, is_file) {
+  let panel_icon = '', panel_tooltip = '';
+
+  if(is_file || is_file == 'true'){
+    panel_tooltip = gettext('File - ') + panel_title;
+    panel_icon = 'fa fa-file-text-o';
+  }
+  else if (is_query_tool == 'false' || is_query_tool == false) {
+    // Edit grid titles
+    panel_tooltip = gettext('View/Edit Data - ') + panel_title;
+    panel_icon = 'fa fa-table';
+  } else {
+    // Query tool titles
+    panel_tooltip = gettext('Query Tool - ') + panel_title;
+    panel_icon = 'fa fa-bolt';
+  }
+
+  panel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
+  panel.icon(panel_icon);
+}
--- a/web/pgadmin/tools/datagrid/static/js/show_data.js
+++ b/web/pgadmin/tools/datagrid/static/js/show_data.js
@ -9,7 +9,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';
 import CodeMirror from 'bundled_codemirror';
 import * as SqlEditorUtils from 'sources/sqleditor_utils';
 import $ from 'jquery';
--- a/web/pgadmin/tools/datagrid/static/js/show_query_tool.js
+++ b/web/pgadmin/tools/datagrid/static/js/show_query_tool.js
@ -10,7 +10,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';

 function hasDatabaseInformation(parentData) {
  return parentData.database;
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@ -36,6 +36,7 @@ define('tools.querytool', [
  'sources/sqleditor/call_render_after_poll',
  'sources/sqleditor/query_tool_preferences',
  'sources/csrf',
+  'tools/datagrid/static/js/datagrid_panel_title',
  'sources/../bundle/slickgrid',
  'pgadmin.file_manager',
  'backgrid.sizeable.columns',
@ -50,7 +51,7 @@ define('tools.querytool', [
  XCellSelectionModel, setStagedRows, SqlEditorUtils, ExecuteQuery, httpErrorHandler, FilterHandler,
  GeometryViewer, historyColl, queryHist,
  keyboardShortcuts, queryToolActions, queryToolNotifications, Datagrid,
-  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken) {
+  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken, panelTitleFunc) {
  /* Return back, this has been called more than once */
  if (pgAdmin.SqlEditor)
    return pgAdmin.SqlEditor;
@ -3046,7 +3047,7 @@ define('tools.querytool', [
      },

      // Set panel title.
-      setTitle: function(title, unsafe) {
+      setTitle: function(title, is_file) {
        var self = this;

        if (self.preferences.new_browser_tab) {
@ -3054,10 +3055,7 @@ define('tools.querytool', [
        } else {
          _.each(window.top.pgAdmin.Browser.docker.findPanels('frm_datagrid'), function(p) {
            if (p.isVisible()) {
-              if(unsafe) {
-                title = _.escape(title);
-              }
-              p.title(title);
+              panelTitleFunc.setQueryToolDockerTitle(p, self.is_query_tool, title, is_file);
            }
          });
        }
--- a/web/regression/javascript/datagrid/get_panel_title_spec.js
+++ b/web/regression/javascript/datagrid/get_panel_title_spec.js
@ -7,7 +7,7 @@
 //
 //////////////////////////////////////////////////////////////

-import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/get_panel_title';
+import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/datagrid_panel_title';
 import {TreeFake} from '../tree/tree_fake';
 import {TreeNode} from '../../../pgadmin/static/js/tree/tree';