[CKAN-Security] Security post from joerg-thomas.vogt at yourdata.de requires approval
Adrià Mercader
adria.mercader at okfn.org
Thu Feb 26 17:32:55 UTC 2015
Thanks for this Thomas, we'll discuss on the next dev meeting and come
back to you.
BTW the other issue you reported (XSS on CSV previews) has been fixed
and backported and will be available on the next patch release:
https://github.com/ckan/ckan/pull/2319
The other regarding the text preview is a bit more tricky to solve as
we can not guarantee a proper rendering and stripping all potentially
dangerous tags at the same time. I'd suggest not enabling the
text_view extension unless you trust the sources of the files rendered
for now.
Thanks,
Adrià
On 26 February 2015 at 17:10, Rufus Pollock <rufus.pollock at okfn.org> wrote:
> ---------- Forwarded message ----------
> From: "Jörg-Thomas Vogt" <joerg-thomas.vogt at yourdata.de>
> To: security at ckan.org
> Cc:
> Date: Thu, 26 Feb 2015 11:03:28 +0100
> Subject: cross-site scriping issue with email fields
> Hello everybody,
>
> I'm using CKAN 2.2.1 and evaluating CKAN 2.3.
> A penetration test raised the following issue:
>
> after specifying the following code e.g. in the author or maintainer email
> field for a resource
>
> "><script>alert(document.cookie)</script>
>
> this code will be executed after navigating to the resource (opening a popup
> with cookie informations).
> Putting above code into the field for maintainer name or author name does
> not lead to
> code execution.
>
> I'm neither a CKAN expert nor a python developer but I suggest to check at
> least the email
> fields for proper addresses.
>
> I've added some code to ckan/logic/schema.py and ckan/logic/validators.py to
> perform some
> basic checks. After these modifications it's not possible anymore to provide
> above script code
> in an email field but I'm not sure whether the code will cover all possible
> XSS attacks.
>
> Kind regards
>
> Thomas
>
>
> =================== ckan/logic/schema.py ===========
> *** schema_2.3.py 2015-02-26 09:56:39.741258600 +0100
> --- schema_2.3_patched.py 2015-02-26 10:26:05.493253800 +0100
> ***************
> *** 35,40 ****
> --- 35,41 ----
> is_positive_integer,
> boolean_validator,
> user_about_validator,
> + email_validator,
> vocabulary_name_validator,
> vocabulary_id_not_changed,
> vocabulary_id_exists,
> ***************
> *** 142,150 ****
> 'name': [not_empty, unicode, name_validator,
> package_name_validator],
> 'title': [if_empty_same_as("name"), unicode],
> 'author': [ignore_missing, unicode],
> ! 'author_email': [ignore_missing, unicode],
> 'maintainer': [ignore_missing, unicode],
> ! 'maintainer_email': [ignore_missing, unicode],
> 'license_id': [ignore_missing, unicode],
> 'notes': [ignore_missing, unicode],
> 'url': [ignore_missing, unicode],#, URL(add_http=False)],
> --- 143,151 ----
> 'name': [not_empty, unicode, name_validator,
> package_name_validator],
> 'title': [if_empty_same_as("name"), unicode],
> 'author': [ignore_missing, unicode],
> ! 'author_email': [ignore_missing, email_validator, unicode],
> 'maintainer': [ignore_missing, unicode],
> ! 'maintainer_email': [ignore_missing, email_validator, unicode],
> 'license_id': [ignore_missing, unicode],
> 'notes': [ignore_missing, unicode],
> 'url': [ignore_missing, unicode],#, URL(add_http=False)],
> ***************
> *** 428,434 ****
> 'name': [not_empty, name_validator, user_name_validator, unicode],
> 'fullname': [ignore_missing, unicode],
> 'password': [user_password_validator, user_password_not_empty,
> ignore_missing, unicode],
> ! 'email': [not_empty, unicode],
> 'about': [ignore_missing, user_about_validator, unicode],
> 'created': [ignore],
> 'openid': [ignore_missing],
> --- 429,435 ----
> 'name': [not_empty, name_validator, user_name_validator, unicode],
> 'fullname': [ignore_missing, unicode],
> 'password': [user_password_validator, user_password_not_empty,
> ignore_missing, unicode],
> ! 'email': [not_empty, email_validator, unicode],
> 'about': [ignore_missing, user_about_validator, unicode],
> 'created': [ignore],
> 'openid': [ignore_missing],
> ***************
> *** 473,479 ****
>
> def default_user_invite_schema():
> schema = {
> ! 'email': [not_empty, unicode],
> 'group_id': [not_empty],
> 'role': [not_empty],
> }
> --- 474,480 ----
>
> def default_user_invite_schema():
> schema = {
> ! 'email': [not_empty, email_validator, unicode],
> 'group_id': [not_empty],
> 'role': [not_empty],
> }
> =================== ckan/logic/schema.py ===========
>
> =================== ckan/logic/validators.py ===========
> *** validators_2.3.py 2015-02-26 09:57:09.279948100 +0100
> --- validators_2.3_patched.py 2015-02-26 10:28:37.267934800 +0100
> ***************
> *** 1,5 ****
> --- 1,6 ----
> import collections
> import datetime
> + from email.utils import parseaddr
> from itertools import count
> import re
> import mimetypes
> ***************
> *** 621,626 ****
> --- 622,632 ----
>
> return value
>
> + def email_validator(value,context):
> + if value and not '@' in parseaddr(value)[1]:
> + raise Invalid(_('Invalid mail address.'))
> + return value
> +
> def vocabulary_name_validator(name, context):
> model = context['model']
> session = context['session']
> =================== ckan/logic/validators.py ===========
>
> --
> Joerg-Thomas Vogt
>
> yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
> Tel +49 711 490 448 24, Fax +49 711 490 448 36
> joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
> Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
> Sitz Stuttgart, AG Stuttgart, HRB 725115
More information about the Security
mailing list