mirror of
https://github.com/pgadmin-org/pgadmin4.git
synced 2024-12-22 15:13:42 -06:00
Added escaping for the placeholder parameters before passing it to the passexec command. #6794
This commit is contained in:
parent
d8ed75dbfd
commit
5e8a75cdf9
@ -349,6 +349,7 @@ export default class ServerSchema extends BaseUISchema {
|
|||||||
group: gettext('Advanced'), controlProps: {maxLength: null},
|
group: gettext('Advanced'), controlProps: {maxLength: null},
|
||||||
mode: ['properties', 'edit', 'create'],
|
mode: ['properties', 'edit', 'create'],
|
||||||
disabled: pgAdmin.server_mode == 'True' && pgAdmin.enable_server_passexec_cmd == 'False',
|
disabled: pgAdmin.server_mode == 'True' && pgAdmin.enable_server_passexec_cmd == 'False',
|
||||||
|
helpMessage: gettext('The server hostname, port, and username can be passed as variables by using the placeholders %HOST%, %PORT%, and %USERNAME%, which will be replaced with the corresponding server connection information.')
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
id: 'passexec_expiration', label: gettext('Password exec expiration (seconds)'), type: 'int',
|
id: 'passexec_expiration', label: gettext('Password exec expiration (seconds)'), type: 'int',
|
||||||
|
@ -14,6 +14,7 @@ from threading import Lock
|
|||||||
from flask import current_app
|
from flask import current_app
|
||||||
|
|
||||||
import config
|
import config
|
||||||
|
from pgadmin.utils.driver import get_driver
|
||||||
|
|
||||||
|
|
||||||
class PasswordExec:
|
class PasswordExec:
|
||||||
@ -22,9 +23,9 @@ class PasswordExec:
|
|||||||
|
|
||||||
def __init__(self, cmd, host, port, username, expiration_seconds=None,
|
def __init__(self, cmd, host, port, username, expiration_seconds=None,
|
||||||
timeout=60):
|
timeout=60):
|
||||||
cmd = str(cmd).replace('%HOSTNAME%', host)
|
self.host = host
|
||||||
cmd = cmd.replace('%PORT%', str(port))
|
self.port = port
|
||||||
cmd = cmd.replace('%USERNAME%', username)
|
self.username = username
|
||||||
self.cmd = cmd
|
self.cmd = cmd
|
||||||
self.expiration_seconds = int(expiration_seconds) \
|
self.expiration_seconds = int(expiration_seconds) \
|
||||||
if expiration_seconds is not None else None
|
if expiration_seconds is not None else None
|
||||||
@ -36,6 +37,12 @@ class PasswordExec:
|
|||||||
if config.SERVER_MODE and not config.ENABLE_SERVER_PASS_EXEC_CMD:
|
if config.SERVER_MODE and not config.ENABLE_SERVER_PASS_EXEC_CMD:
|
||||||
# Arbitrary shell execution on server is a security risk
|
# Arbitrary shell execution on server is a security risk
|
||||||
raise NotImplementedError('Passexec not available in server mode')
|
raise NotImplementedError('Passexec not available in server mode')
|
||||||
|
driver = get_driver(config.PG_DEFAULT_DRIVER)
|
||||||
|
self.cmd = str(self.cmd)
|
||||||
|
self.cmd = self.cmd.replace('%HOSTNAME%', self.host)
|
||||||
|
self.cmd = self.cmd.replace('%PORT%', str(self.port))
|
||||||
|
self.cmd = self.cmd.replace('%USERNAME%',
|
||||||
|
driver.qtIdent(None,self.username))
|
||||||
with self.lock:
|
with self.lock:
|
||||||
if not self.password or self.is_expired():
|
if not self.password or self.is_expired():
|
||||||
if not self.cmd:
|
if not self.cmd:
|
||||||
|
Loading…
Reference in New Issue
Block a user