public inbox for [email protected]
help / color / mirror / Atom feedFrom: Akshay Joshi <[email protected]>
To: Ganesh Jaybhay <[email protected]>
Cc: Dave Page <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: [pgAdmin][5919] Fix security related issues
Date: Tue, 20 Oct 2020 17:17:26 +0530
Message-ID: <CANxoLDc-x371pOonhWK_jirbnQi1zJsd4a8qXCqaow-sMpOQ7g@mail.gmail.com> (raw)
In-Reply-To: <CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com>
References: <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>
<CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com>
<CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com>
Thanks, patch applied.
On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay <
[email protected]> wrote:
> Thank you Dave for the suggestion.
>
> Please find the attached updated patch to make HSTS by default disabled
> and conditional based on flag.
>
> Regards,
> Ganesh Jaybhay
>
> On Mon, Oct 19, 2020 at 5:38 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
>> [email protected]> wrote:
>>
>>> Hi Hackers,
>>>
>>> Please find the attached patch to fix the below security issues:
>>>
>>> - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>>> address
>>> - Lack of Content Security Policy (CSP) - Added security header
>>> - Lack of Protection Mechanisms - HSTS - Added security header
>>> - Lack of Cookie Attribute – Secure : Kept as False as secure limits
>>> cookies to HTTPS traffic only.
>>> - Information Disclosure – Web Server / Development Framework
>>> VersionDescription: Kept as hard coded 'Python' instead of exposing
>>> wsgi/python/gunicorn version info.
>>>
>>> Please review and let me know if I have missed anything.
>>>
>>
>> I took a very quick look at this, and one thing that immediately stood
>> out is that HSTS should definitely not be enabled by default. That can make
>> dev/test/redeploy extremely difficult.
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Sr. Software Architect*
*EDB Postgres <http://edbpostgres.com>*
*Mobile: +91 976-788-8246*
view thread (4+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: [pgAdmin][5919] Fix security related issues
In-Reply-To: <CANxoLDc-x371pOonhWK_jirbnQi1zJsd4a8qXCqaow-sMpOQ7g@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox