[CKAN-Security] Datastore sql injection (write access)

Alice Heaton a.heaton at nhm.ac.uk
Thu Oct 9 14:40:47 UTC 2014


I have found an SQL Injection :-) On master - I don't think that code 
was in a release yet.

How to reproduce

On master, upload this CSV file to the datastore:

The first field, The second field, MIX FIELD,fo;'));CREATE TABLE 
breakit(breakit integer);--ürth_field,lat,long
a value, another value, a third value, a fourth value,21,14
A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45

And you will get a new table called 'breakit' ! Only the text on the 
first line starting at the single quote and finishing at the double dash 
is relevant here; the rest was just me doing various tests.

What happens

When uploading the table, field names are validated to ensure that they 
don't contain double quotes, since field names are typically escaped 
using double quotes. However there is (at least) one context where field 
names are enclosed in single, rather than double, quotes: when creating 
full text indexes. Specifically when calling to_tsvector('language', 

The culprit is _build_fts_indexes in ckanext/datastore/db.py

Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I 
didn't get a reply, so I'm not sure anyone actually reads it...

Can you confirm this has been received?

Best Wishes,
Alice Heaton

More information about the Security mailing list