From 86736c289bb0d689aa5ed269c14da157e80cbea0 Mon Sep 17 00:00:00 2001 From: "SPRINX0\\prochazka" Date: Tue, 4 Feb 2025 16:01:50 +0100 Subject: [PATCH 1/3] security problem fix #1029 --- packages/api/src/auth/authProvider.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/api/src/auth/authProvider.js b/packages/api/src/auth/authProvider.js index c13628ce8..00fa04d81 100644 --- a/packages/api/src/auth/authProvider.js +++ b/packages/api/src/auth/authProvider.js @@ -218,7 +218,7 @@ class LoginsProvider extends AuthProviderBase { }; } - if (password == process.env[`LOGIN_PASSWORD_${login}`]) { + if (password && password == process.env[`LOGIN_PASSWORD_${login}`]) { return { accessToken: jwt.sign( { From 8e4308bea817aed4aed868db90ae577696161fc9 Mon Sep 17 00:00:00 2001 From: "SPRINX0\\prochazka" Date: Tue, 4 Feb 2025 16:07:33 +0100 Subject: [PATCH 2/3] v6.1.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 21d48f5b7..aaed4468f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "private": true, - "version": "6.1.4", + "version": "6.1.5", "name": "dbgate-all", "workspaces": [ "packages/*", From b3b94bfb3f50f249cbade4aff8c0d3981cb7929b Mon Sep 17 00:00:00 2001 From: "SPRINX0\\prochazka" Date: Tue, 4 Feb 2025 16:12:00 +0100 Subject: [PATCH 3/3] 6.1.5 changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4855fb782..2e1388b04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ Builds: - linux - application for linux - win - application for Windows +### 6.1.5 +- FIXED: Serious security hotfix (for Docker and NPM, when using LOGIN and PASSWORD environment variables or LOGIN_PASSWORD_xxx) +- no changes for desktop app and for Team premium edition, when using storage DB + ### 6.1.4 - CHANGED: Show Data/Structure button in one place #1015 - ADDED: Data view coloring (every second row) #1014