Hi,
PFA minor patch to make session more secure in web mode.
RM#2584
Ref: https://flask-paranoid.readthedocs.io/en/latest/
Please review.
--
Regards,
Murtuza Zabuawala
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
diff --git a/requirements.txt b/requirements.txt
index cc00a8d..9baf999 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -41,3 +41,4 @@ sqlparse==0.1.19
Werkzeug==0.9.6
WTForms==2.0.2
backports.csv==1.0.4; python_version <= '2.7'
+Flask-Paranoid==0.1.0
diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py
index 4389e96..fd03cc1 100644
--- a/web/pgadmin/__init__.py
+++ b/web/pgadmin/__init__.py
@@ -22,6 +22,7 @@ from flask_security import Security, SQLAlchemyUserDatastore
from flask_mail import Mail
from flask_security.utils import login_user
from werkzeug.datastructures import ImmutableDict
+from flask_paranoid import Paranoid
from pgadmin.utils import PgAdminModule, driver
from pgadmin.utils.versioned_template_loader import VersionedTemplateLoader
@@ -285,6 +286,11 @@ def create_app(app_name=None):
app.session_interface = create_session_interface(app)
+ # Make the Session more secure against XSS & CSRF when running in web mode
+ if config.SERVER_MODE:
+ paranoid = Paranoid(app)
+ paranoid.redirect_view = 'browser.index'
+
##########################################################################
# Load all available server drivers
##########################################################################
