Re: [pgAdmin][5919] Fix security related issues

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Dave Page <[email protected]>
To: Ganesh Jaybhay <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: [pgAdmin][5919] Fix security related issues
Date: Mon, 19 Oct 2020 13:08:03 +0100
Message-ID: <CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com> (raw)
In-Reply-To: <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>
References: <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>

Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
[email protected]> wrote:

> Hi Hackers,
>
> Please find the attached patch to fix the below security issues:
>
>    - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>    address
>    - Lack of Content Security Policy (CSP) - Added security header
>    - Lack of Protection Mechanisms - HSTS - Added security header
>    - Lack of Cookie Attribute – Secure : Kept as False as secure limits
>    cookies to HTTPS traffic only.
>    - Information Disclosure – Web Server / Development Framework
>    VersionDescription: Kept as hard coded 'Python' instead of exposing
>    wsgi/python/gunicorn version info.
>
> Please review and let me know if I have missed anything.
>

I took a very quick look at this, and one thing that immediately stood out
is that HSTS should definitely not be enabled by default. That can make
dev/test/redeploy extremely difficult.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: [pgAdmin][5919] Fix security related issues
  In-Reply-To: <CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox