[CKAN-Security] Datastore sql injection (write access)

Nigel Babu nigel.babu at okfn.org
Thu Oct 9 15:29:15 UTC 2014


Hi Alice,

I can confirm we've got this email.

Nigel.

On Oct 9, 2014 8:10 PM, Alice Heaton <a.heaton at nhm.ac.uk> wrote:
>
> Hello, 
>
> I have found an SQL Injection :-) On master - I don't think that code 
> was in a release yet. 
>
> How to reproduce 
> ------------------------ 
>
> On master, upload this CSV file to the datastore: 
>
> The first field, The second field, MIX FIELD,fo;'));CREATE TABLE 
> breakit(breakit integer);--ürth_field,lat,long 
> a value, another value, a third value, a fourth value,21,14 
> A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45 
> ?,.*,a%b,""why"",88,-11 
> ',"",;,",",61,12 
> 1,2,3,4,0,0 
>
> And you will get a new table called 'breakit' ! Only the text on the 
> first line starting at the single quote and finishing at the double dash 
> is relevant here; the rest was just me doing various tests. 
>
> What happens 
> ------------------- 
>
> When uploading the table, field names are validated to ensure that they 
> don't contain double quotes, since field names are typically escaped 
> using double quotes. However there is (at least) one context where field 
> names are enclosed in single, rather than double, quotes: when creating 
> full text indexes. Specifically when calling to_tsvector('language', 
> 'field_name'). 
>
> The culprit is _build_fts_indexes in ckanext/datastore/db.py 
>
> Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I 
> didn't get a reply, so I'm not sure anyone actually reads it... 
>
> Can you confirm this has been received? 
>
> Best Wishes, 
> Alice Heaton 
> _______________________________________________ 
> CKAN security 
> https://lists.okfn.org/mailman/listinfo/security 
> https://lists.okfn.org/mailman/options/security/nigel.babu%40okfn.org 


More information about the Security mailing list