[CKAN-Security] HTML file upload issue

• Previous message: [CKAN-Security] HTML file upload issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This is probably worse than it might appear to be, because even being in an iframe users are not protected by the Same Origin policy (as it has the same origin).
I’m not particularly au-fait with the storage code (although I did merge the extension in a while back) - Is setting Content-disposition for every resource the right thing to do?  Can it be removed entirely for 2.3?

Ross


On 15 Oct 2014, at 12:37, Ilja Pyykkönen <ilja.pyykkonen at gofore.com> wrote:

> Dear CKAN,
> 
> Seems that you can upload HTML files to CKAN and CKAN happily serves those files.
> 
> http://demo.ckan.org/dataset/04e4a6f5-7220-4adc-9e8c-a477645f545c/resource/d13d0573-29bc-4909-96ac-b4c0a55a75cc/download/test.html
> 
> This of course allows injecting scripts and using it in user context.
> 
> There is commented code that would "fix" this issue, but it is not in use.
> 
> https://github.com/ckan/ckan/blob/master/ckan/controllers/storage.py#L185
> 
> This problem also occurs in resource preview.
> 
> http://demo.ckan.org/dataset/test1234/resource/d13d0573-29bc-4909-96ac-b4c0a55a75cc
> 
> Also, seems that HttpOnly is not set for cookies either so you can use this method to steal users session.
> 
> Best regards,
> Ilja
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ross%40servercode.co.uk

• Previous message: [CKAN-Security] HTML file upload issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]