Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kUq7a-0001cb-Fs
	for pgadmin-hackers@arkaria.postgresql.org; Tue, 20 Oct 2020 11:48:06 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kUq7Z-0001mY-DB
	for pgadmin-hackers@arkaria.postgresql.org; Tue, 20 Oct 2020 11:48:05 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <akshay.joshi@enterprisedb.com>)
	id 1kUq7Z-0001kr-6z
	for pgadmin-hackers@lists.postgresql.org; Tue, 20 Oct 2020 11:48:05 +0000
Received: from mail-io1-xd41.google.com ([2607:f8b0:4864:20::d41])
	by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <akshay.joshi@enterprisedb.com>)
	id 1kUq79-0000ix-7n
	for pgadmin-hackers@postgresql.org; Tue, 20 Oct 2020 11:47:41 +0000
Received: by mail-io1-xd41.google.com with SMTP id q25so2731732ioh.4
        for <pgadmin-hackers@postgresql.org>;
 Tue, 20 Oct 2020 04:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=/pt4lSyVar2OCV8kjPo0l1E20P7aY1upRDy8mcWrklc=;
        b=TCsxgiNovfYnIQUbmkOjh8iMpHhWogbQaO88wp8QURDpCGuan5V4g+X74lXdRAzg18
         nd1blWqGUH83pcHQH6XUIwU+lveJqZrTkAVuL0f2Z46vIUQ4y6gNyNaOrBCJihbjzYHk
         0rFOKjAa8XX2B5xqOraxX8p9l2DvJcRorJCDsbwsrz2bJf2xE8LUfOK5K5dlg9+V7Q5Z
         h1mteBbsSlUtMFGFAHuKV79m5/2ZRbHc8mvf6Zou8052CMYMMH8rdE78++lUNk7QJCPE
         CMIiKHHw4FxCJdbzGaJvZUpO4eIMVW6u/v6Be8SOuP5dmtD4wp2KgMEMHg5JKK3ZRkj6
         wTig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=/pt4lSyVar2OCV8kjPo0l1E20P7aY1upRDy8mcWrklc=;
        b=j4oTD/ZqMy/+xNjaqxAiHRg2XbSGU6iI3uwLNJyUbY05gyQtOAWXA+Nww1S5+kjKhb
         cp2PcpsLGpE3l+lN5n9YgucmlZTxpiQhpyZgcm1oMVCyQbCWRsl5acbrvpwcOwkpvW2p
         8lv2pBEmCTdjdh+EDE8Fmj/nCQJtm3qdygeIkqADzaw6VBb3I8Q1Dtm1BU49rbH3tuZ7
         cO+GruIvuUVynG9/DKA/vL+X6yaSSOJLPdLjN1OsfwjLpeaqWjQdsItEV3Ld1Uwd8u4C
         m6zJJ57vV/goE3KMUMuXpda4V3CRGZr1PZjPto34Nn2yypuRq0DZ7asWgMqOpEwRSRfh
         73oQ==
X-Gm-Message-State: AOAM530H7sWia8ozDYb9ruKaRnnl4ZKMPPo+zqiPcVJiSIPZHlqJqe90
	tugCo0U0zWBk5SaCOGGMluEsPy4RwS/dZtqu1YwuX9Q9JLqHWtkglIojrcWcRfSXqMF2l/lt0wl
	M/QL1Am2ETObqNbt2b/Ur2BmI7JBKB6hFNyTZdXdzfPL0O1Uc5FESZQ9NzkPeTerg38D/pNKmN9
	vYpg46v8wASRU9NENiF56DCsPsAxs2SZ9+mCTaq8poplqFMoJI4mU40BijbQ==
X-Google-Smtp-Source: 
 ABdhPJxdRt1v2Br/4RUYjCDRaGo00yYkmzqNqHnJr/tcoue4Uqbl3QunmQCXy9r4AkxT4RAI2tqEnvSKihVdgRQEaUk=
X-Received: by 2002:a05:6638:606:: with SMTP id
 g6mr1693520jar.0.1603194457372;
 Tue, 20 Oct 2020 04:47:37 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com>
 <CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com>
 <CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com>
In-Reply-To: 
 <CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com>
From: Akshay Joshi <akshay.joshi@enterprisedb.com>
Date: Tue, 20 Oct 2020 17:17:26 +0530
Message-ID: 
 <CANxoLDc-x371pOonhWK_jirbnQi1zJsd4a8qXCqaow-sMpOQ7g@mail.gmail.com>
Subject: Re: [pgAdmin][5919] Fix security related issues
To: Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>
Cc: Dave Page <dpage@pgadmin.org>,
 pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000236acb05b218ccc1"
X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor
X-CLOUD-SEC-AV-Sent: true
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgadmin-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgadmin-hackers@lists.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgadmin-hackers>
Precedence: bulk

--000000000000236acb05b218ccc1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks, patch applied.

On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay <
ganesh.jaybhay@enterprisedb.com> wrote:

> Thank you Dave for the suggestion.
>
> Please find the attached updated patch to make HSTS by default disabled
> and conditional based on flag.
>
> Regards,
> Ganesh Jaybhay
>
> On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:
>
>> Hi
>>
>> On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
>> ganesh.jaybhay@enterprisedb.com> wrote:
>>
>>> Hi Hackers,
>>>
>>> Please find the attached patch to fix the below security issues:
>>>
>>>    - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>>>    address
>>>    - Lack of Content Security Policy (CSP) - Added security header
>>>    - Lack of Protection Mechanisms - HSTS - Added security header
>>>    - Lack of Cookie Attribute =E2=80=93 Secure : Kept as False as secur=
e limits
>>>    cookies to HTTPS traffic only.
>>>    - Information Disclosure =E2=80=93 Web Server / Development Framewor=
k
>>>    VersionDescription: Kept as hard coded 'Python' instead of exposing
>>>    wsgi/python/gunicorn version info.
>>>
>>> Please review and let me know if I have missed anything.
>>>
>>
>> I took a very quick look at this, and one thing that immediately stood
>> out is that HSTS should definitely not be enabled by default. That can m=
ake
>> dev/test/redeploy extremely difficult.
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>

--=20
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Sr. Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*

--000000000000236acb05b218ccc1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks, patch applied.</div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Oct 19, 2020 at 7:17 PM Gane=
sh Jaybhay &lt;<a href=3D"mailto:ganesh.jaybhay@enterprisedb.com">ganesh.ja=
ybhay@enterprisedb.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex"><div dir=3D"ltr">Thank you Dave for the suggestion.<d=
iv><br></div><div>Please find the attached updated patch to make HSTS by de=
fault disabled and conditional based on flag.</div><div><br></div><div>Rega=
rds,</div><div>Ganesh=C2=A0Jaybhay</div></div><br><div class=3D"gmail_quote=
"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Oct 19, 2020 at 5:38 PM Dav=
e Page &lt;<a href=3D"mailto:dpage@pgadmin.org" target=3D"_blank">dpage@pga=
dmin.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr"><div>Hi</div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr" class=3D"gmail_attr">On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jayb=
hay &lt;<a href=3D"mailto:ganesh.jaybhay@enterprisedb.com" target=3D"_blank=
">ganesh.jaybhay@enterprisedb.com</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hi Hackers,<div><br></div=
><div>Please find the attached patch to fix the below security issues:</div=
><div><ul><li>Host Header Injection -=C2=A0Added ALLOWED_HOSTS list to limi=
t host address=C2=A0</li><li>Lack of Content Security Policy (CSP) - Added =
security header</li><li>Lack of Protection Mechanisms - HSTS -=C2=A0Added s=
ecurity header</li><li>Lack of Cookie Attribute =E2=80=93 Secure : Kept as =
False as secure limits cookies to HTTPS traffic only.</li><li>Information D=
isclosure =E2=80=93 Web Server / Development Framework VersionDescription: =
Kept=C2=A0as hard coded &#39;Python&#39; instead of exposing wsgi/python/gu=
nicorn version info.</li></ul><div>Please review and let me know if I have =
missed anything.</div></div></div></blockquote><div><br></div><div>I took a=
 very quick look at this, and one thing that immediately stood out is that =
HSTS should definitely not be enabled by default. That can make dev/test/re=
deploy extremely difficult.</div><div>=C2=A0</div></div>-- <br><div dir=3D"=
ltr"><div dir=3D"ltr">Dave Page<br>Blog: <a href=3D"http://pgsnake.blogspot=
.com" target=3D"_blank">http://pgsnake.blogspot.com</a><br>Twitter: @pgsnak=
e<br><br>EDB: <a href=3D"http://www.enterprisedb.com" target=3D"_blank">htt=
p://www.enterprisedb.com</a><br><br></div></div></div>
</blockquote></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"lt=
r"><div dir=3D"ltr"><div dir=3D"ltr"><div><font color=3D"#3333FF"><b><span =
style=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px;borde=
r-collapse:collapse">Thanks &amp; Regards</span></b></font></div><div><font=
 color=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);font-family:arial,san=
s-serif;font-size:13px;border-collapse:collapse">Akshay Joshi</span></b></f=
ont></div><div><font color=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);f=
ont-family:arial,sans-serif;font-size:13px;border-collapse:collapse">pgAdmi=
n Hacker | Sr. Software Architect</span></b></font></div><font color=3D"#00=
0000" face=3D"arial, sans-serif"><b><a href=3D"http://edbpostgres.com" targ=
et=3D"_blank">EDB Postgres</a></b></font><br><div><b style=3D"color:rgb(51,=
51,255)"><span style=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-=
size:13px;border-collapse:collapse">Mobile: +91 976-788-8246<br></span></b>=
<br></div></div></div></div></div></div></div>

--000000000000236acb05b218ccc1--