Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgAdmin users who are authenticated can access each other's directories and files by providing relative paths #5734

Closed
akshay-joshi opened this issue Jan 13, 2023 · 1 comment
Closed

pgAdmin users who are authenticated can access each other's directories and files by providing relative paths #5734

akshay-joshi opened this issue Jan 13, 2023 · 1 comment
Assignees
@yogeshmahajan-1903
Labels
Bug EDB Sprint 133
Milestone
6.19

Comments

@akshay-joshi
Copy link
Contributor

Describe the bug
pgAdmin users who are authenticated can access each other's directories and files by providing relative paths.

To Reproduce

Steps to reproduce the behavior:

  1. Start pgAdmin in the Server mode. You need to create two users 'user1@xyz.com' and 'user2@xyz.com'.
  2. Login as user1 and export some servers. Provide the file name as 'servers.json'
  3. Login as user2 and Import servers with user2 and set the JSON file name as '../user1_xyz.com/servers.json'.
  4. It reads the file and shows the servers to import.

Expected behavior
By providing relative paths, users should not be able to access each other's directories and files.

Desktop (please complete the following information):

  • OS: [All]
  • Version: [6.18]
  • Mode: [Server]
@akshay-joshi akshay-joshi added this to the 6.19 milestone Jan 13, 2023
akshay-joshi pushed a commit that referenced this issue Jan 13, 2023
@adityatoshniwal
Ensure that the authenticated users can't access each other's directo…
8b236e7 
…ries and files by providing relative paths. #5734
@yogeshmahajan-1903
Copy link
Contributor

Issue is verified on candidate build. Users gets Access Denied error on accessing each other's directory.

akshay-joshi pushed a commit to akshay-joshi/pgadmin4 that referenced this issue Jan 17, 2023
@adityatoshniwal @akshay-joshi
Ensure that the authenticated users can't access each other's directo…
f59d93a 
…ries and files by providing relative paths. pgadmin-org#5734
akshay-joshi pushed a commit to akshay-joshi/pgadmin4 that referenced this issue Jan 17, 2023
@adityatoshniwal @akshay-joshi
Ensure that the authenticated users can't access each other's directo…
64d7289 
…ries and files by providing relative paths. pgadmin-org#5734
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yogeshmahajan-1903 yogeshmahajan-1903

Labels
Bug EDB Sprint 133
Projects
None yet
Milestone
6.19
Development

No branches or pull requests
3 participants
@akshay-joshi @yogeshmahajan-1903 @adityatoshniwal