[ckan-dev] security issues

Cam Findlay cam at camfindlay.com
Fri Jun 2 03:34:48 UTC 2017


Sounds good Ian,

I'll look into making it along to one of the dev meetings, I'm relatively
new to CKAN as a product but old hat in the open source space (previous
developer and community manager for open source cms SilverStripe).

You are welcome to repurpose any of the approaches and code for use in
2.7.x, anything that can enhance secruty out of the box is welcome in my
books (and given the public sector adoption of CKAN makes a tonne of sense).

C.



On 2 June 2017 at 01:14, Ian Ward <ian at excess.org> wrote:

> I would love to get some of these features incorporated into core.
>
> Any chance someone could join one of our dev meetings to discuss it?
> https://hack.allmende.io/ckan-meeting
>
> On Wed, May 31, 2017 at 6:13 PM, Cam Findlay <cam at camfindlay.com> wrote:
>
>> Hi Hilde, Steve -
>>
>> Something you might find of use, we have open sourced our security
>> enhancements packaged as an extension (after going through a similar
>> security assessment).
>>
>> https://github.com/data-govt-nz/ckanext-security
>>
>> It deals with a number of the issues you raise and a few other things
>> that were specific to our particular assessment (however we'd be open to
>> pull requests on this extension if you wanted to say add more configuration
>> options to turn on/off various features you do/dont want from our plugin).
>>
>> This was built for 2.5x CKAN and is running on a 2.6.x installation.
>>
>> CKAN core team might be interested in taking some of these features/code
>> into the work towards 2.7.x as I'm sure these issues will come up again and
>> would be good to bake in some of the useful security related features.
>>
>> Thanks :D
>>
>> Cam.
>>
>>
>>
>>
>> On 1 June 2017 at 05:46, Steven De Costa <steven.decosta at linkdigital.co
>> m.au> wrote:
>>
>>> You should stay up to date with patches for the version you are running.
>>> You need to be on 2.5.4 currently for any security updates since 2.5.1 was
>>> released.
>>>
>>>
>>>
>>> On Wed, May 31, 2017 at 11:53 PM <Hildegard.GERLACH at ec.europa.eu> wrote:
>>>
>>>> Hi everyone,
>>>>
>>>> for putting a Website (which uses ckan) in production, we had to
>>>> undergo a security assessment.
>>>>
>>>> We are using Ckan 2.5.1, I don’t know if things are different with
>>>> newer versions.
>>>>
>>>>
>>>> One of the things which was criticized is the administrative
>>>> interface:
>>>>
>>>>
>>>> weak authentication : does not enforce strong passwords, multiple
>>>> failed attempts to login are allowed, no automatic logout after inactivity
>>>>
>>>>
>>>> Cross-Site Request Forgery: before performing administrative actions,
>>>> the application does not check whether HTTP requests were sent from an
>>>> authorized page (the "Referer" header is not checked and no XSRF token is
>>>> included)
>>>>
>>>> incomplete logout functionality: The application session token remains
>>>> valid after the user logs out from the application.
>>>>
>>>>
>>>> Are there any improvements going on ?
>>>>
>>>>
>>>> Another thing is the Third Party Service gravatar : the service is
>>>> provided with the list of all application users and the list of pages
>>>> they visited
>>>>
>>>> Is it possible to disable the icon ?
>>>>
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>>> Hilde
>>>> _______________________________________________
>>>> ckan-dev mailing list
>>>> ckan-dev at lists.okfn.org
>>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>>
>>> --
>>> *STEVEN DE COSTA *|
>>> *EXECUTIVE DIRECTOR*www.linkdigital.com.au
>>>
>>>
>>>
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>
>>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20170602/6b7221ed/attachment-0003.html>


More information about the ckan-dev mailing list