Overview

File 0001-Fixed-a-security-issue-where-the-OAuth2-client-ID-and-secret.patch of Package pgadmin4.40052

From a0aa1855186bbe769182e797dc546812ed4dc720 Mon Sep 17 00:00:00 2001
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Fri, 20 Sep 2024 08:44:38 +0530
Subject: [PATCH] Fixed a security issue where the OAuth2 client ID and secret
 exposed through the web browser (CVE-2024-9014). #7945

---
 docs/en_US/release_notes_8_12.rst              |  5 +++--
 web/pgadmin/templates/security/login_user.html | 11 ++++++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

#diff --git a/docs/en_US/release_notes_8_12.rst b/docs/en_US/release_notes_8_12.rst
#index 3c21bf6d1aa..8bc9b925894 100644
#--- a/docs/en_US/release_notes_8_12.rst
#+++ b/docs/en_US/release_notes_8_12.rst
#@@ -2,7 +2,7 @@
# Version 8.12
# ************
# 
#-Release date: 2024-09-19
#+Release date: 2024-09-23
# 
# This release contains a number of bug fixes and new features since the release of pgAdmin 4 v8.11.
# 
#@@ -39,4 +39,5 @@ Bug fixes
#   | `Issue #7839 <https://github.com/pgadmin-org/pgadmin4/issues/7839>`_ -  Added support for OIDC based OAuth2 authentication.
#   | `Issue #7878 <https://github.com/pgadmin-org/pgadmin4/issues/7878>`_ -  Fixed an issue where cursor moves to end of line when editing input fields.
#   | `Issue #7890 <https://github.com/pgadmin-org/pgadmin4/issues/7890>`_ -  Fixed an issue where "Quit App" confirmation modal in desktop app is not respecting "Confirm on close or refresh?".
#-  | `Issue #7895 <https://github.com/pgadmin-org/pgadmin4/issues/7895>`_ -  Fixed an issue where different client backend shows all SQL are same.
#\ No newline at end of file
#+  | `Issue #7895 <https://github.com/pgadmin-org/pgadmin4/issues/7895>`_ -  Fixed an issue where different client backend shows all SQL are same.
#+  | `Issue #7945 <https://github.com/pgadmin-org/pgadmin4/issues/7945>`_ -  Fixed a security issue where the OAuth2 client ID and secret exposed through the web browser (CVE-2024-9014).
#\ No newline at end of file
diff --git a/web/pgadmin/templates/security/login_user.html b/web/pgadmin/templates/security/login_user.html
index f3d716d109d..2e81d6af7f5 100644
--- a/web/pgadmin/templates/security/login_user.html
+++ b/web/pgadmin/templates/security/login_user.html
@@ -4,6 +4,15 @@
 {% for key, lang in config.LANGUAGES.items() %}
 {% set _ = ns.langOptions.append({'value': key, 'label': lang}) %}
 {% endfor %}
+{% set oauth2_config = [] %}
+{% for i in config.OAUTH2_CONFIG %}
+  {% set _tmp = oauth2_config.append({'OAUTH2_NAME': config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_NAME'],
+    'OAUTH2_BUTTON_COLOR':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_BUTTON_COLOR'],
+    'OAUTH2_DISPLAY_NAME':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_DISPLAY_NAME'],
+    'OAUTH2_ICON':  config.OAUTH2_CONFIG[loop.index-1]['OAUTH2_ICON']
+  }) %}
+{% endfor %}
+
 {% set page_props = {
     'userLanguage': user_language,
     'langOptions': ns.langOptions,
@@ -15,7 +24,7 @@
         'OAUTH2': config.OAUTH2,
         'KERBEROS': config.KERBEROS,
     },
-    'oauth2Config': config.OAUTH2_CONFIG,
+    'oauth2Config': oauth2_config,
     'loginBanner': config.LOGIN_BANNER|safe
 } %}
 {% extends "security/render_page.html" %}
openSUSE Build Service is sponsored by
Places