1) Disable the PSQL feature entirely in server mode by default.

2) Remove the code that attempts to filter out commands.

refs #2341

docs/en_US/psql_tool.rst

@@ -10,10 +10,6 @@ PSQL tool allows user to connect to PostgreSQL/EDB Advanced server using psql te
 
 * PSQL will connect to the current connected database from browser tree.
 
-* PSQL utility does support execution of OS meta-commands by using "\\!". Due
-  to security concerns, we have disabled the execution of such commands in
-  pgAdmin. To enable OS meta-commands set ALLOW_PSQL_SHELL_COMMANDS = True in configuration.
-
 .. image:: images/psql_tool.png
     :alt: PSQL tool window
     :align: center

web/config.py

@@ -620,7 +620,6 @@ LDAP_CA_CERT_FILE = ''
 LDAP_CERT_FILE = ''
 LDAP_KEY_FILE = ''
 
-
 ##########################################################################
 # Kerberos Configuration
 ##########################################################################
@@ -645,18 +644,12 @@ KERBEROS_CCACHE_DIR = os.path.join(DATA_DIR, 'krbccache')
 ##########################################################################
 # PSQL tool settings
 ##########################################################################
-# This will enable PSQL tool in pgAdmin. So user can execute the commands
-# using PSQL terminal in pgAdmin.
-ENABLE_PSQL = True
+# This will enable PSQL tool in pgAdmin when running in server mode.
+# PSQL is always enabled in Desktop mode, however in server mode it is
+# disabled by default because users can run arbitrary commands on the
+# server through it.
+ENABLE_PSQL = False
 
-# ALLOW_PSQL_SHELL_COMMAND = True will disable the execution of os level
-# commands using meta command \! from PSQL terminal.
-# As PSQL allow user to execute the os level commands from the PSQL terminal
-# user can execute any system level command as per the system login user
-# privileges. Default this setting is set to False but if it set to True
-# User will able to execute the system level commands through PSQL terminal
-# in pgAdmin.
-ALLOW_PSQL_SHELL_COMMANDS = False
 ##########################################################################
 # ENABLE_BINARY_PATH_BROWSING setting is used to enable the browse button
 # while selecting binary path for the database server in server mode.
@@ -702,3 +695,5 @@ if 'PGADMIN_CONFIG_DEFAULT_SERVER' in os.environ:
 # Disable USER_INACTIVITY_TIMEOUT when SERVER_MODE=False
 if not SERVER_MODE:
     USER_INACTIVITY_TIMEOUT = 0
+    # Enable PSQL in Desktop Mode.
+    ENABLE_PSQL = True

web/pgadmin/browser/templates/browser/js/utils.js

@@ -54,7 +54,6 @@ define('pgadmin.browser.utils',
 
   /* GET PSQL Tool related config */
   pgAdmin['enable_psql'] =  '{{enable_psql}}' == 'True';
-  pgAdmin['allow_psql_shell_commands'] =  '{{ current_app.config.get('ALLOW_PSQL_SHELL_COMMANDS') }}'  == 'True';
   pgAdmin['platform'] =  '{{platform}}';
   pgAdmin['qt_default_placeholder'] = '{{qt_default_placeholder}}'
 

web/pgadmin/tools/psql/__init__.py

@@ -128,8 +128,6 @@ def set_term_size(fd, row, col, xpix=0, ypix=0):
     """
     if _platform == 'win32':
         app.config['sessions'][request.sid].setwinsize(row, col)
-        # data = {'key_name': 'Enter', 'input': '\n'}
-        # socket_input(data)
     else:
         term_size = struct.pack('HHHH', row, col, xpix, ypix)
         fcntl.ioctl(fd, termios.TIOCSWINSZ, term_size)
@@ -462,91 +460,6 @@ def check_last_exe_cmd(data):
     return user_input
 
 
-def invalid_cmd():
-    """
-    Invalid command
-    :return:
-    :rtype:
-    """
-    session_last_cmd[request.sid]['invalid_cmd'] = True
-    if _platform == 'win32':
-        for i in range(len(session_input[request.sid])):
-            app.config['sessions'][request.sid].write('\b \b')
-        app.config['sessions'][request.sid].write('\r\n')
-
-        sio.emit(
-            'pty-output',
-            {
-                'result': gettext(
-                    "ERROR: Shell commands are disabled "
-                    "in psql for security\r\n"),
-                'error': True
-            },
-            namespace='/pty', room=request.sid)
-    else:
-        for i in range(len(session_input[request.sid])):
-            os.write(app.config['sessions'][request.sid],
-                     '\b \b'.encode())
-
-        os.write(app.config['sessions'][request.sid],
-                 '\n'.encode())
-    session_input[request.sid] = ''
-
-
-def check_valid_cmd(user_input):
-    """
-    Check if user entered a valid cmd and \\! command is preset as a string
-    only in current executing command. if \\! is present as command don't
-    allow the execution of command.
-    :param user_input:
-    :return:
-    """
-    stop_execution = True
-    # Check \! is passed as string or not.
-    double_quote_strs = re.findall('"([^"]*)"', user_input)
-    if not double_quote_strs:
-        double_quote_strs = re.findall("'([^']*)'", user_input)
-
-    if double_quote_strs:
-        for sub_str in double_quote_strs:
-            if re.search("\\\!", sub_str):
-                stop_execution = False
-                # break
-
-    if stop_execution:
-        session_last_cmd[request.sid]['invalid_cmd'] = True
-        if _platform == 'win32':
-            # Remove already added command from terminal.
-            for i in range(len(user_input)):
-                app.config['sessions'][request.sid].write('\b \b')
-            app.config['sessions'][request.sid].write('\n')
-
-            sio.emit(
-                'pty-output',
-                {
-                    'result': gettext(
-                        "ERROR: Shell commands are disabled "
-                        "in psql for security\r\n"),
-                    'error': True
-                },
-                namespace='/pty', room=request.sid)
-        else:
-            # Remove already added command from terminal.
-            for i in range(len(user_input)):
-                os.write(app.config['sessions'][request.sid],
-                         '\b \b'.encode())
-            # Add Enter event to execute the command.
-            os.write(app.config['sessions'][request.sid],
-                     '\n'.encode())
-    else:
-        session_last_cmd[request.sid]['invalid_cmd'] = False
-        if _platform == 'win32':
-            app.config['sessions'][request.sid].write('\n')
-        else:
-            os.write(app.config['sessions'][request.sid],
-                     '\n'.encode())
-
-
 def enter_key_press(data):
     """
     Handel the Enter key press event.
@@ -555,23 +468,8 @@ def enter_key_press(data):
     user_input = check_last_exe_cmd(data)
     session_input_cursor[request.sid] = 0
 
-    # If ALLOW_PSQL_SHELL_COMMANDS is False then user can't execute
-    # \! meta command to run shell commands through PSQL terminal.
-    # Check before executing the user entered command does not
-    # contains \! in input.
-    is_new_connection = session_last_cmd[request.sid][
-        'is_new_connection']
-
-    if user_input.startswith('\\!') and re.match("^\\\!$", user_input) and len(
-        user_input) == 2 and not config.ALLOW_PSQL_SHELL_COMMANDS \
-            and not is_new_connection:
-        invalid_cmd()
-    elif re.search("\\\!", user_input) and \
-        not config.ALLOW_PSQL_SHELL_COMMANDS and\
-            not session_last_cmd[request.sid]['is_new_connection']:
-        check_valid_cmd(user_input)
-    elif user_input == '\q' or user_input == 'q\\q' or user_input in ['exit',
-                                                                      'exit;']:
+    if user_input == '\q' or user_input == 'q\\q' or user_input in\
+            ['\quit', 'exit', 'exit;']:
         # If user enter \q to terminate the PSQL, emit the msg to
         # notify user connection is terminated.
         sio.emit('pty-output',