From 1fc66406f5e3dbe00712e32761bed56bf6cb3c24 Mon Sep 17 00:00:00 2001 From: Dave Page Date: Tue, 12 Feb 2019 16:07:38 +0000 Subject: [PATCH] Don't embed docs and external sites in iframes, to allow the external sites to set X-FRAME-OPTIONS = DENY for security. Fxies #3985 --- docs/en_US/release_notes_4_3.rst | 3 +- .../tablespaces/static/js/tablespace.js | 2 +- web/pgadmin/browser/static/js/browser.js | 42 ++----------------- web/pgadmin/browser/static/js/node.js | 31 +------------- web/pgadmin/browser/static/js/wizard.js | 17 +------- .../dashboard/welcome_dashboard.html | 8 ++-- web/pgadmin/help/__init__.py | 22 ++-------- .../preferences/static/js/preferences.js | 2 +- .../static/js/sqleditor/filter_dialog.js | 2 +- .../backup/static/js/backup_dialog_wrapper.js | 3 +- .../maintenance/static/js/maintenance.js | 2 +- .../static/js/restore_dialog_wrapper.js | 3 +- .../static/js/user_management.js | 4 +- .../backup/backup_dialog_wrapper_spec.js | 10 +---- .../restore/restore_dialog_wrapper_spec.js | 6 +-- 15 files changed, 28 insertions(+), 129 deletions(-) diff --git a/docs/en_US/release_notes_4_3.rst b/docs/en_US/release_notes_4_3.rst index e4ec94e46..a26cf8905 100644 --- a/docs/en_US/release_notes_4_3.rst +++ b/docs/en_US/release_notes_4_3.rst @@ -17,4 +17,5 @@ Bug fixes | `Bug #3873 `_ - Fix context sub-menu alignment on Safari. | `Bug #3942 `_ - Close connections gracefully when the user logs out of pgAdmin. | `Bug #3963 `_ - Fix alignment of import/export toggle switch. -| `Bug #3981 `_ - Fix the query to set bytea_output so that read-only standbys don't consider it a write query. \ No newline at end of file +| `Bug #3981 `_ - Fix the query to set bytea_output so that read-only standbys don't consider it a write query. +| `Bug #3985 `_ - Don't embed docs and external sites in iframes, to allow the external sites to set X-FRAME-OPTIONS = DENY for security. \ No newline at end of file diff --git a/web/pgadmin/browser/server_groups/servers/tablespaces/static/js/tablespace.js b/web/pgadmin/browser/server_groups/servers/tablespaces/static/js/tablespace.js index 167f4292e..457ad282a 100644 --- a/web/pgadmin/browser/server_groups/servers/tablespaces/static/js/tablespace.js +++ b/web/pgadmin/browser/server_groups/servers/tablespaces/static/js/tablespace.js @@ -270,7 +270,7 @@ define('pgadmin.node.tablespace', [ if (e.button.element.name == 'dialog_help') { e.cancel = true; pgBrowser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - null, null, e.button.element.getAttribute('label')); + null, null); return; } if (e.button.text === gettext('OK')) { diff --git a/web/pgadmin/browser/static/js/browser.js b/web/pgadmin/browser/static/js/browser.js index 5199bc8e5..08108e2be 100644 --- a/web/pgadmin/browser/static/js/browser.js +++ b/web/pgadmin/browser/static/js/browser.js @@ -644,18 +644,8 @@ define('pgadmin.browser', [ obj.enable_disable_menus(); }, // General function to handle callbacks for object or dialog help. - showHelp: function(type, url, node, item, label) { - var iframe, pnlProperties; + showHelp: function(type, url, node, item) { if (type == 'object_help') { - // See if we can find an existing panel, if not, create one - var pnlSqlHelp = this.docker.findPanels('pnl_sql_help')[0]; - - if (pnlSqlHelp == null) { - pnlProperties = this.docker.findPanels('properties')[0]; - this.docker.addPanel('pnl_sql_help', wcDocker.DOCK.STACKED, pnlProperties); - pnlSqlHelp = this.docker.findPanels('pnl_sql_help')[0]; - } - // Construct the URL var server = node.getTreeNodeHierarchy(item).server; var baseUrl = pgBrowser.utils.pg_help_path; @@ -670,35 +660,11 @@ define('pgadmin.browser', [ if (!S(baseUrl).endsWith('/')) { baseUrl = baseUrl + '/'; } - var fullUrl = baseUrl+ url; - // Update the panel - iframe = $(pnlSqlHelp).data('embeddedFrame'); - pnlSqlHelp.title('Help: '+ label); + var fullUrl = baseUrl + url; - pnlSqlHelp.focus(); - iframe.openURL(fullUrl); + window.open(fullUrl, 'postgres_help'); } else if(type == 'dialog_help') { - if(this.docker) { - // See if we can find an existing panel, if not, create one - var pnlDialogHelp = this.docker.findPanels('pnl_online_help')[0]; - - if (pnlDialogHelp == null) { - pnlProperties = this.docker.findPanels('properties')[0]; - this.docker.addPanel('pnl_online_help', wcDocker.DOCK.STACKED, pnlProperties); - pnlDialogHelp = this.docker.findPanels('pnl_online_help')[0]; - } - - // Update the panel - iframe = $(pnlDialogHelp).data('embeddedFrame'); - - pnlDialogHelp.focus(); - iframe.openURL(url); - } else { - // We have added new functionality of opening Query tool & debugger in new - // browser tab, In that case we will not have docker object available - // so we will open dialog help in new browser tab - window.open(url, '_blank'); - } + window.open(url, 'pgadmin_help'); } }, _findTreeChildNode: function(_i, _d, _o) { diff --git a/web/pgadmin/browser/static/js/node.js b/web/pgadmin/browser/static/js/node.js index 30605ddc6..696f8f530 100644 --- a/web/pgadmin/browser/static/js/node.js +++ b/web/pgadmin/browser/static/js/node.js @@ -1201,15 +1201,6 @@ define('pgadmin.browser.node', [ j.append(content); }.bind(panel), onSqlHelp = function() { - // See if we can find an existing panel, if not, create one - var pnlSqlHelp = pgBrowser.docker.findPanels('pnl_sql_help')[0]; - - if (pnlSqlHelp == null) { - var pnlProperties = pgBrowser.docker.findPanels('properties')[0]; - pgBrowser.docker.addPanel('pnl_sql_help', wcDocker.DOCK.STACKED, pnlProperties); - pnlSqlHelp = pgBrowser.docker.findPanels('pnl_sql_help')[0]; - } - // Construct the URL var server = that.getTreeNodeHierarchy(item).server; @@ -1237,29 +1228,11 @@ define('pgadmin.browser.node', [ } } - // Update the panel - var iframe = $(pnlSqlHelp).data('embeddedFrame'); - pnlSqlHelp.title('SQL: ' + that.label); - - pnlSqlHelp.focus(); - iframe.openURL(url); + window.open(url, 'postgres_help'); }.bind(panel), onDialogHelp = function() { - // See if we can find an existing panel, if not, create one - var pnlDialogHelp = pgBrowser.docker.findPanels('pnl_online_help')[0]; - - if (pnlDialogHelp == null) { - var pnlProperties = pgBrowser.docker.findPanels('properties')[0]; - pgBrowser.docker.addPanel('pnl_online_help', wcDocker.DOCK.STACKED, pnlProperties); - pnlDialogHelp = pgBrowser.docker.findPanels('pnl_online_help')[0]; - } - - // Update the panel - var iframe = $(pnlDialogHelp).data('embeddedFrame'); - - pnlDialogHelp.focus(); - iframe.openURL(that.dialogHelp); + window.open(that.dialogHelp, 'pgadmin_help'); }.bind(panel), onSave = function(view, saveBtn) { diff --git a/web/pgadmin/browser/static/js/wizard.js b/web/pgadmin/browser/static/js/wizard.js index 5154f5487..98bca9983 100644 --- a/web/pgadmin/browser/static/js/wizard.js +++ b/web/pgadmin/browser/static/js/wizard.js @@ -12,8 +12,6 @@ define([ 'sources/gettext', 'sources/utils', ], function(_, $, Backbone, pgAdmin, pgBrowser, gettext, commonUtils) { - var wcDocker = window.wcDocker; - /* Wizard individual Page Model */ pgBrowser.WizardPage = Backbone.Model.extend({ defaults: { @@ -309,20 +307,7 @@ define([ return (_.isFunction(func) ? func.apply(ctx, [self]) : func); }, onDialogHelp: function() { - // See if we can find an existing panel, if not, create one - var pnlDialogHelp = pgBrowser.docker.findPanels('pnl_online_help')[0]; - - if (pnlDialogHelp == null) { - var pnlProperties = pgBrowser.docker.findPanels('properties')[0]; - pgBrowser.docker.addPanel('pnl_online_help', wcDocker.DOCK.STACKED, pnlProperties); - pnlDialogHelp = pgBrowser.docker.findPanels('pnl_online_help')[0]; - } - - // Update the panel - var iframe = $(pnlDialogHelp).data('embeddedFrame'); - - pnlDialogHelp.focus(); - iframe.openURL(this.options.wizard_help); + window.open(this.options.wizard_help, 'pgadmin_help'); }, }); diff --git a/web/pgadmin/dashboard/templates/dashboard/welcome_dashboard.html b/web/pgadmin/dashboard/templates/dashboard/welcome_dashboard.html index cf358ace2..35ebba07e 100644 --- a/web/pgadmin/dashboard/templates/dashboard/welcome_dashboard.html +++ b/web/pgadmin/dashboard/templates/dashboard/welcome_dashboard.html @@ -47,25 +47,25 @@
- +
{{ _('PostgreSQL Documentation') }}
- +
{{ _('pgAdmin Website') }}
- +
{{ _('Planet PostgreSQL') }}
- +
{{ _('Community Support') }} diff --git a/web/pgadmin/help/__init__.py b/web/pgadmin/help/__init__.py index d0589916c..016bbc6d0 100644 --- a/web/pgadmin/help/__init__.py +++ b/web/pgadmin/help/__init__.py @@ -26,40 +26,24 @@ class HelpModule(PgAdminModule): MenuItem(name='mnu_online_help', label=gettext('Online Help'), priority=100, - target='_blank', + target='pgadmin_help', icon='fa fa-question', url=url_for('help.static', filename='index.html')), MenuItem(name='mnu_pgadmin_website', label=gettext('pgAdmin Website'), priority=200, - target='_blank', + target='pgadmin_website', icon='fa fa-external-link', url='https://www.pgadmin.org/'), MenuItem(name='mnu_postgresql_website', label=gettext('PostgreSQL Website'), priority=300, - target='_blank', + target='postgres_website', icon='fa fa-external-link', url='https://www.postgresql.org/')]} - def get_panels(self): - return [ - Panel( - name='pnl_online_help', - priority=100, - isPrivate=True, - title=gettext('Online Help'), - icon='fa fa-question').__dict__, - - Panel( - name='pnl_sql_help', - priority=200, - isPrivate=True, - icon='fa fa-info', - title=gettext('SQL Help')).__dict__] - def register_preferences(self): """ register_preferences diff --git a/web/pgadmin/preferences/static/js/preferences.js b/web/pgadmin/preferences/static/js/preferences.js index 263b03f42..15d9e088d 100644 --- a/web/pgadmin/preferences/static/js/preferences.js +++ b/web/pgadmin/preferences/static/js/preferences.js @@ -447,7 +447,7 @@ define('pgadmin.preferences', [ if (e.button.element.name == 'dialog_help') { e.cancel = true; pgBrowser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - null, null, e.button.element.getAttribute('label')); + null, null); return; } diff --git a/web/pgadmin/static/js/sqleditor/filter_dialog.js b/web/pgadmin/static/js/sqleditor/filter_dialog.js index d51452fad..ac7e2a22f 100644 --- a/web/pgadmin/static/js/sqleditor/filter_dialog.js +++ b/web/pgadmin/static/js/sqleditor/filter_dialog.js @@ -206,7 +206,7 @@ let FilterDialog = { if (e.button.element.name == 'dialog_help') { e.cancel = true; pgAdmin.Browser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - null, null, e.button.element.getAttribute('label')); + null, null); return; } else if (e.button['data-btn-name'] === 'ok') { e.cancel = true; // Do not close dialog diff --git a/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js b/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js index a9a01e5d9..26c97edad 100644 --- a/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js +++ b/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js @@ -114,8 +114,7 @@ export class BackupDialogWrapper extends DialogWrapper { event.button.element.name, event.button.element.getAttribute('url'), node, - selectedTreeNode.getHtmlIdentifier(), - event.button.element.getAttribute('label') + selectedTreeNode.getHtmlIdentifier() ); return; } diff --git a/web/pgadmin/tools/maintenance/static/js/maintenance.js b/web/pgadmin/tools/maintenance/static/js/maintenance.js index 423ba7c67..fe38d0959 100644 --- a/web/pgadmin/tools/maintenance/static/js/maintenance.js +++ b/web/pgadmin/tools/maintenance/static/js/maintenance.js @@ -336,7 +336,7 @@ define([ if (e.button.element.name == 'dialog_help' || e.button.element.name == 'object_help') { e.cancel = true; pgBrowser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - node, i, e.button.element.getAttribute('label')); + node, i); return; } diff --git a/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js b/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js index aba30480f..88d5da327 100644 --- a/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js +++ b/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js @@ -114,8 +114,7 @@ export class RestoreDialogWrapper extends DialogWrapper { event.button.element.name, event.button.element.getAttribute('url'), node, - selectedTreeNode.getHtmlIdentifier(), - event.button.element.getAttribute('label') + selectedTreeNode.getHtmlIdentifier() ); return; } diff --git a/web/pgadmin/tools/user_management/static/js/user_management.js b/web/pgadmin/tools/user_management/static/js/user_management.js index 07102662e..8aeea3a5a 100644 --- a/web/pgadmin/tools/user_management/static/js/user_management.js +++ b/web/pgadmin/tools/user_management/static/js/user_management.js @@ -123,7 +123,7 @@ define([ if (e.button.element.name == 'dialog_help') { e.cancel = true; pgBrowser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - null, null, e.button.element.getAttribute('label')); + null, null); return; } }, @@ -868,7 +868,7 @@ define([ if (e.button.element.name == 'dialog_help') { e.cancel = true; pgBrowser.showHelp(e.button.element.name, e.button.element.getAttribute('url'), - null, null, e.button.element.getAttribute('label')); + null, null); return; } if (e.button.element.name == 'close') { diff --git a/web/regression/javascript/backup/backup_dialog_wrapper_spec.js b/web/regression/javascript/backup/backup_dialog_wrapper_spec.js index 720ee32c0..537763f1b 100644 --- a/web/regression/javascript/backup/backup_dialog_wrapper_spec.js +++ b/web/regression/javascript/backup/backup_dialog_wrapper_spec.js @@ -245,8 +245,6 @@ describe('BackupDialogWrapper', () => { getAttribute: (attributeName) => { if (attributeName === 'url') { return 'http://someurl'; - } else if (attributeName === 'label') { - return 'some label'; } }, }, @@ -260,8 +258,7 @@ describe('BackupDialogWrapper', () => { 'dialog_help', 'http://someurl', pgBrowser.Nodes['server'], - serverTreeNode.getHtmlIdentifier(), - 'some label' + serverTreeNode.getHtmlIdentifier() ); }); @@ -288,8 +285,6 @@ describe('BackupDialogWrapper', () => { getAttribute: (attributeName) => { if (attributeName === 'url') { return 'http://someurl'; - } else if (attributeName === 'label') { - return 'some label'; } }, }, @@ -303,8 +298,7 @@ describe('BackupDialogWrapper', () => { 'object_help', 'http://someurl', pgBrowser.Nodes['server'], - serverTreeNode.getHtmlIdentifier(), - 'some label' + serverTreeNode.getHtmlIdentifier() ); }); diff --git a/web/regression/javascript/restore/restore_dialog_wrapper_spec.js b/web/regression/javascript/restore/restore_dialog_wrapper_spec.js index df6b91600..04d7348f7 100644 --- a/web/regression/javascript/restore/restore_dialog_wrapper_spec.js +++ b/web/regression/javascript/restore/restore_dialog_wrapper_spec.js @@ -252,8 +252,7 @@ describe('RestoreDialogWrapper', () => { 'dialog_help', 'http://someurl', pgBrowser.Nodes['server'], - serverTreeNode.getHtmlIdentifier(), - 'some label' + serverTreeNode.getHtmlIdentifier() ); }); @@ -294,8 +293,7 @@ describe('RestoreDialogWrapper', () => { 'object_help', 'http://someurl', pgBrowser.Nodes['server'], - serverTreeNode.getHtmlIdentifier(), - 'some label' + serverTreeNode.getHtmlIdentifier() ); });