Home > mailing lists

[pgAdmin][5919] Fix security related issues - Mailing list pgadmin-hackers

From	Ganesh Jaybhay
Subject	[pgAdmin][5919] Fix security related issues
Date	October 19, 2020 15:01:07
Msg-id	CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com Whole thread Raw
Responses	Re: [pgAdmin][5919] Fix security related issues (Dave Page <dpage@pgadmin.org>)
List	pgadmin-hackers

Hi Hackers,

Please find the attached patch to fix the below security issues:

Host Header Injection - Added ALLOWED_HOSTS list to limit host address
Lack of Content Security Policy (CSP) - Added security header
Lack of Protection Mechanisms - HSTS - Added security header
Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.

Please review and let me know if I have missed anything.

Regards,

Ganesh Jaybhay

From: Akshay Joshi
Date: 19 October 2020, 08:28:05
Subject: Re: [pgAdmin4][RM4232]: Change what is shown by default in tab titles

From: Dave Page
Date: 19 October 2020, 15:08:03
Subject: Re: [pgAdmin][5919] Fix security related issues