[CKAN-Security] Datastore sql injection (write access)
Nigel Babu
nigel.babu at okfn.org
Thu Oct 9 15:29:15 UTC 2014
Hi Alice,
I can confirm we've got this email.
Nigel.
On Oct 9, 2014 8:10 PM, Alice Heaton <a.heaton at nhm.ac.uk> wrote:
>
> Hello,
>
> I have found an SQL Injection :-) On master - I don't think that code
> was in a release yet.
>
> How to reproduce
> ------------------------
>
> On master, upload this CSV file to the datastore:
>
> The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
> breakit(breakit integer);--ürth_field,lat,long
> a value, another value, a third value, a fourth value,21,14
> A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
> ?,.*,a%b,""why"",88,-11
> ',"",;,",",61,12
> 1,2,3,4,0,0
>
> And you will get a new table called 'breakit' ! Only the text on the
> first line starting at the single quote and finishing at the double dash
> is relevant here; the rest was just me doing various tests.
>
> What happens
> -------------------
>
> When uploading the table, field names are validated to ensure that they
> don't contain double quotes, since field names are typically escaped
> using double quotes. However there is (at least) one context where field
> names are enclosed in single, rather than double, quotes: when creating
> full text indexes. Specifically when calling to_tsvector('language',
> 'field_name').
>
> The culprit is _build_fts_indexes in ckanext/datastore/db.py
>
> Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I
> didn't get a reply, so I'm not sure anyone actually reads it...
>
> Can you confirm this has been received?
>
> Best Wishes,
> Alice Heaton
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/nigel.babu%40okfn.org
More information about the Security
mailing list