[CKAN-Security] Datastore sql injection (write access)
a.heaton at nhm.ac.uk
Thu Oct 9 14:40:47 UTC 2014
I have found an SQL Injection :-) On master - I don't think that code
was in a release yet.
How to reproduce
On master, upload this CSV file to the datastore:
The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
a value, another value, a third value, a fourth value,21,14
A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
And you will get a new table called 'breakit' ! Only the text on the
first line starting at the single quote and finishing at the double dash
is relevant here; the rest was just me doing various tests.
When uploading the table, field names are validated to ensure that they
don't contain double quotes, since field names are typically escaped
using double quotes. However there is (at least) one context where field
names are enclosed in single, rather than double, quotes: when creating
full text indexes. Specifically when calling to_tsvector('language',
The culprit is _build_fts_indexes in ckanext/datastore/db.py
Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I
didn't get a reply, so I'm not sure anyone actually reads it...
Can you confirm this has been received?
More information about the Security