From 9dd1bae3c74702dd2b532c8b5066c5786deec59b Mon Sep 17 00:00:00 2001
From: Pradip Parkale <pradip.parkale@enterprisedb.com>
Date: Wed, 28 Apr 2021 11:59:45 +0530
Subject: [PATCH] =?UTF-8?q?Ensure=20that=20pgAdmin=20should=20not=20allow?=
 =?UTF-8?q?=20opening=20external=C2=A0files=20that=20are=20dragged=20into?=
 =?UTF-8?q?=20it.=20Fixes=20#6355?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/en_US/release_notes_5_3.rst                   |  1 +
 web/pgadmin/browser/static/js/panel.js             | 10 ++++++++++
 web/pgadmin/tools/sqleditor/static/js/sqleditor.js | 10 ++++++++++
 3 files changed, 21 insertions(+)

diff --git a/docs/en_US/release_notes_5_3.rst b/docs/en_US/release_notes_5_3.rst
index da521d475..b17408e44 100644
--- a/docs/en_US/release_notes_5_3.rst
+++ b/docs/en_US/release_notes_5_3.rst
@@ -19,6 +19,7 @@ Bug fixes
 
 | `Issue #6329 <https://redmine.postgresql.org/issues/6329>`_ -  Fixed an issue where the wrong SQL is showing for the child partition tables.
 | `Issue #6341 <https://redmine.postgresql.org/issues/6341>`_ -  Fixed an issue where CSV download quotes the numeric columns.
+| `Issue #6355 <https://redmine.postgresql.org/issues/6355>`_ -  Ensure that pgAdmin should not allow opening external files that are dragged into it.
 | `Issue #6377 <https://redmine.postgresql.org/issues/6377>`_ -  Fixed an issue where schema diff does not create DROP DEFAULT statement for columns.
 | `Issue #6385 <https://redmine.postgresql.org/issues/6385>`_ -  Ensure that Backup and Restore should work on shared servers.
 | `Issue #6408 <https://redmine.postgresql.org/issues/6408>`_ -  Fixed ModuleNotFoundError when running setup.py from outside of the root.
diff --git a/web/pgadmin/browser/static/js/panel.js b/web/pgadmin/browser/static/js/panel.js
index bf9e874ce..c0371b2dc 100644
--- a/web/pgadmin/browser/static/js/panel.js
+++ b/web/pgadmin/browser/static/js/panel.js
@@ -97,6 +97,16 @@ define(
                 that.onCreate.apply(that, [myPanel, $container]);
               }
 
+              // Prevent browser from opening the drag file.
+              $('.pg-panel-content').bind('dragover', function (event) {
+                event.stopPropagation();
+                event.preventDefault();
+              });
+              $('.pg-panel-content').bind('drop', function (event) {
+                event.stopPropagation();
+                event.preventDefault();
+              });
+
               if (that.elContainer) {
                 myPanel.pgElContainer = $container;
                 $container.addClass('pg-el-container');
diff --git a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
index b5503255c..28d989f47 100644
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -491,6 +491,16 @@ define('tools.querytool', [
         }, 200);
       });
 
+      // Prevent browser from opening the drag file.
+      $('#datagrid').bind('dragover', function (event) {
+        event.stopPropagation();
+        event.preventDefault();
+      });
+      $('#datagrid').bind('drop', function (event) {
+        event.stopPropagation();
+        event.preventDefault();
+      });
+
       var open_new_tab = self.browser_preferences.new_browser_tab_open;
       if (_.isNull(open_new_tab) || _.isUndefined(open_new_tab) || !open_new_tab.includes('qt')) {
         // Listen on the panel closed event and notify user to save modifications.