Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mdQtj-0006bN-RO for pgadmin-hackers@arkaria.postgresql.org; Thu, 21 Oct 2021 05:45:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mdQti-0007Gi-Jj for pgadmin-hackers@arkaria.postgresql.org; Thu, 21 Oct 2021 05:45:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mdQti-0007GX-3e for pgadmin-hackers@lists.postgresql.org; Thu, 21 Oct 2021 05:45:50 +0000 Received: from mail-io1-xd2c.google.com ([2607:f8b0:4864:20::d2c]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mdQtf-0002yh-M9 for pgadmin-hackers@postgresql.org; Thu, 21 Oct 2021 05:45:49 +0000 Received: by mail-io1-xd2c.google.com with SMTP id b188so22597558iof.8 for ; Wed, 20 Oct 2021 22:45:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M1Pzo9KSPOe9k+ZG1a14WnfAU1j5RpgqN9ThooT8mDQ=; b=Vwdnk996ybyvsQ4Nv6XNH6vyWXqoWCFVupKEnffB+T8gBEA1q/Jax9MD4y9TtfldgN Ubzch1k+h07Xp6+kk2UJ3RT49R2X1HKAi6cje65h3KK+h4Kcz099p1UajgXLwFzmyPdI jOskRhONvVLt4sc1SXJFI36FfXTaW5oFgluq5Vb0Y8mU5iujf9y75xQ1q+DxzkNQTov+ ToCw2yGp6q9c2tChajFVrRrmWjwkQxgEOf9iLcN8Iv40Ngqhj9m1srvD8tQ4tqdlDKiN Bw2pxzZDuuTQuKFG0ROJFAFUBX/hFxe1IjRVPxj0y8GunyRX52n1v3/3RzyTQrFtR6TT 66Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M1Pzo9KSPOe9k+ZG1a14WnfAU1j5RpgqN9ThooT8mDQ=; b=AiJXuzygedPRlHupLLC5p1FCkzv2czZok0bgHU7NvilNNTJUqHKdvxbRt8C3qrtbLc PZvaIqpO/NJoitkw9nIAuhJOIXr4u8xCTon6QRrgDFyRhfJNrqndA2ZwWvmvWnCRbk+Q iIGwoGDiE8S+EXOZZo/p2S27FRUANbhP0GMruJCZ/uAqfMCXMqk2js8VDkjY+ixUl3d0 pqS9AIHwG8uo4Lb/jbzbmFoN88OgjE4+omx3gpovIV8lhUUTeEq4a7UfWy3GdlvhNO8L 9D6iU79Wqeu27q6AHnuM441RXAp+Gq3GqoGQMVlhL7wTGk4Cm0BOmhvjAP4gzaa3OCsg +uSQ== X-Gm-Message-State: AOAM531MOaXKtD2qDtcOnRbWBN7+gA/1GB6DeR4qpm55ZpvhFQMh9buQ 0GrGmzk1INFkd8MJqosQ+zlynCNc8ODjQnlqaomUq6oUyYC/QrsGE1JzpqA2w/BQTZ63mfEUfic 3OtzDVKBS9EkX57LNYFDgRsQahN/opZ/FO9Zx9ctYEM7OmoubRiS6qn0ZtPqgLJq5Xe064QIhx7 I6vcBb7Cviv2V1nMs4I6iTgnYOYouE41JHV5VKbgJHHYPRJyitKaK11sgG5w== X-Google-Smtp-Source: ABdhPJz0RENCbFmQoRC/Gvc4mvPmv+Fy2i7tNg2lf57DuDv0NIUkoI9xOADLdSUC+NLJ3/yMYDamS1rvSFefHiyRsBo= X-Received: by 2002:a05:6602:14c7:: with SMTP id b7mr229727iow.22.1634795146708; Wed, 20 Oct 2021 22:45:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Akshay Joshi Date: Thu, 21 Oct 2021 11:15:35 +0530 Message-ID: Subject: Re: [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability To: Aditya Toshniwal Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000001ceb05ced668aa" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000001ceb05ced668aa Content-Type: text/plain; charset="UTF-8" Thanks, the patch applied. On Thu, Oct 21, 2021 at 10:48 AM Aditya Toshniwal < aditya.toshniwal@enterprisedb.com> wrote: > Hi Hackers, > > As per safety audit vulnerability report id #40493 for flask-security-too: > *This is considered a low severity due to the fact that if Werkzeug is > used (which is very common with Flask applications) as the WSGI layer, it > by default ALWAYS ensures that the Location header is absolute - thus > making this attack vector mute.* > > Attached patch will ignore this ID for the audit. > > > -- > Thanks, > Aditya Toshniwal > pgAdmin Hacker | Software Architect | *edbpostgres.com* > > "Don't Complain about Heat, Plant a TREE" > -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Principal Software Architect* *EDB Postgres * *Mobile: +91 976-788-8246* --000000000000001ceb05ced668aa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks, the patch applied.

On Thu, Oct 21, 2021 at 10:48 AM= Aditya Toshniwal <= aditya.toshniwal@enterprisedb.com> wrote:
Hi Hackers,

As per safety audit vulnerability report id #40493= for flask-security-too:
This is considered a low severity due= to the fact that if Werkzeug is used (which is very common with Flask appl= ications) as the WSGI layer, it by default ALWAYS ensures that the Location= header is absolute - thus making this attack vector mute.
<= br>
Attached patch will ignore this ID for the audit.

<= div>
--
Thanks,
Aditya Toshniwal
pgAdmin Hacker=C2=A0| Software Architect=C2=A0| ed= bpostgres.com
"Don't Complain about Heat= , Plant a TREE"


--
Thanks & Regards
Akshay Joshi
pgAdmi= n Hacker | Principal Software Architect
EDB Postgres
Mobile: +91 976-788-8246

--000000000000001ceb05ced668aa--