| From: | Ganesh Jaybhay <ganesh(dot)jaybhay(at)enterprisedb(dot)com> |
|---|---|
| To: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | [pgAdmin][5919] Fix security related issues |
| Date: | 2020-10-19 12:01:07 |
| Message-ID: | CAK6syApbZRiHvJ9Z=mzAg6XPY79wWCPQsyBXo+3kut5UPUEsDA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Hi Hackers,
Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits
cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework
VersionDescription: Kept as hard coded 'Python' instead of exposing
wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.
Regards,
Ganesh Jaybhay
| Attachment | Content-Type | Size |
|---|---|---|
| RM5919.patch | application/octet-stream | 12.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2020-10-19 12:08:03 | Re: [pgAdmin][5919] Fix security related issues |
| Previous Message | Akshay Joshi | 2020-10-19 05:28:05 | Re: [pgAdmin4][RM4232]: Change what is shown by default in tab titles |