Home > mailing lists

Re: [pgAdmin][5919] Fix security related issues - Mailing list pgadmin-hackers

From	Dave Page
Subject	Re: [pgAdmin][5919] Fix security related issues
Date	October 19, 2020 15:08:03
Msg-id	CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com Whole thread Raw
In response to	[pgAdmin][5919] Fix security related issues (Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>)
Responses	Re: [pgAdmin][5919] Fix security related issues (Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>)
List	pgadmin-hackers

Tree view

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:

Hi Hackers,

Please find the attached patch to fix the below security issues:
Host Header Injection - Added ALLOWED_HOSTS list to limit host address
Lack of Content Security Policy (CSP) - Added security header
Lack of Protection Mechanisms - HSTS - Added security header
Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.

I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

pgadmin-hackers by date:

From: Ganesh Jaybhay
Date: 19 October 2020, 15:01:07
Subject: [pgAdmin][5919] Fix security related issues

From: Ganesh Jaybhay
Date: 19 October 2020, 16:46:58
Subject: Re: [pgAdmin][5919] Fix security related issues

Re: [pgAdmin][5919] Fix security related issues - Mailing list pgadmin-hackers

Previous

Next