MIME-Version: 1.0
References: 
 <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>
In-Reply-To: 
 <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>
From: Dave Page <dpage@pgadmin.org>
Date: Mon, 19 Oct 2020 13:08:03 +0100
Message-ID: 
 <CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com>
Subject: Re: [pgAdmin][5919] Fix security related issues
To: Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>
Cc: pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000007a1a505b204f858"
Precedence: bulk

--00000000000007a1a505b204f858
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
ganesh.jaybhay@enterprisedb.com> wrote:

> Hi Hackers,
>
> Please find the attached patch to fix the below security issues:
>
>    - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>    address
>    - Lack of Content Security Policy (CSP) - Added security header
>    - Lack of Protection Mechanisms - HSTS - Added security header
>    - Lack of Cookie Attribute =E2=80=93 Secure : Kept as False as secure =
limits
>    cookies to HTTPS traffic only.
>    - Information Disclosure =E2=80=93 Web Server / Development Framework
>    VersionDescription: Kept as hard coded 'Python' instead of exposing
>    wsgi/python/gunicorn version info.
>
> Please review and let me know if I have missed anything.
>

I took a very quick look at this, and one thing that immediately stood out
is that HSTS should definitely not be enabled by default. That can make
dev/test/redeploy extremely difficult.

--=20
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

--00000000000007a1a505b204f858
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi</div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay &lt;=
<a href=3D"mailto:ganesh.jaybhay@enterprisedb.com">ganesh.jaybhay@enterpris=
edb.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div dir=3D"ltr">Hi Hackers,<div><br></div><div>Please find the atta=
ched patch to fix the below security issues:</div><div><ul><li>Host Header =
Injection -=C2=A0Added ALLOWED_HOSTS list to limit host address=C2=A0</li><=
li>Lack of Content Security Policy (CSP) - Added security header</li><li>La=
ck of Protection Mechanisms - HSTS -=C2=A0Added security header</li><li>Lac=
k of Cookie Attribute =E2=80=93 Secure : Kept as False as secure limits coo=
kies to HTTPS traffic only.</li><li>Information Disclosure =E2=80=93 Web Se=
rver / Development Framework VersionDescription: Kept=C2=A0as hard coded &#=
39;Python&#39; instead of exposing wsgi/python/gunicorn version info.</li><=
/ul><div>Please review and let me know if I have missed anything.</div></di=
v></div></blockquote><div><br></div><div>I took a very quick look at this, =
and one thing that immediately stood out is that HSTS should definitely not=
 be enabled by default. That can make dev/test/redeploy extremely difficult=
.</div><div>=C2=A0</div></div>-- <br><div dir=3D"ltr" class=3D"gmail_signat=
ure"><div dir=3D"ltr">Dave Page<br>Blog: <a href=3D"http://pgsnake.blogspot=
.com" target=3D"_blank">http://pgsnake.blogspot.com</a><br>Twitter: @pgsnak=
e<br><br>EDB: <a href=3D"http://www.enterprisedb.com" target=3D"_blank">htt=
p://www.enterprisedb.com</a><br><br></div></div></div>

--00000000000007a1a505b204f858--