[CKAN-Security] Security post from joerg-thomas.vogt at yourdata.de requires approval

Jörg-Thomas Vogt joerg-thomas.vogt at yourdata.de
Fri Mar 20 14:05:49 UTC 2015


Adrià,

thanks for the fix #2319!
Any news about the XSS issue with email fields ?
May be it's fixed as well but I can't find it the changelog of 2.3.

Many thanks and kind regards

Thomas


Am 26.02.2015 um 18:32 schrieb Adrià Mercader:
> Thanks for this Thomas, we'll discuss on the next dev meeting and come
> back to you.
>
> BTW the other issue you reported (XSS on CSV previews) has been fixed
> and backported and will be available on the next patch release:
>
> https://github.com/ckan/ckan/pull/2319
>
> The other regarding the text preview is a bit more tricky to solve as
> we can not guarantee a proper rendering and stripping all potentially
> dangerous tags at the same time. I'd suggest not enabling the
> text_view extension unless you trust the sources of the files rendered
> for now.
>
> Thanks,
>
> Adrià
>
>
> On 26 February 2015 at 17:10, Rufus Pollock <rufus.pollock at okfn.org> wrote:
>> ---------- Forwarded message ----------
>> From: "Jörg-Thomas Vogt" <joerg-thomas.vogt at yourdata.de>
>> To: security at ckan.org
>> Cc:
>> Date: Thu, 26 Feb 2015 11:03:28 +0100
>> Subject: cross-site scriping issue with email fields
>> Hello everybody,
>>
>> I'm using CKAN 2.2.1 and evaluating CKAN 2.3.
>> A penetration test raised the following issue:
>>
>> after specifying the following code e.g. in the author or maintainer email
>> field for a resource
>>
>> "><script>alert(document.cookie)</script>
>>
>> this code will be executed after navigating to the resource (opening a popup
>> with cookie informations).
>> Putting above code into the field for maintainer name or author name does
>> not lead to
>> code execution.
>>
>> I'm neither a CKAN expert nor a python developer but I suggest to check at
>> least the email
>> fields for proper addresses.
>>
>> I've added some code to ckan/logic/schema.py and ckan/logic/validators.py to
>> perform some
>> basic checks. After these modifications it's not possible anymore to provide
>> above script code
>> in an email field but I'm not sure whether the code will cover all possible
>> XSS attacks.
>>
>> Kind regards
>>
>> Thomas
>>
>>
>> =================== ckan/logic/schema.py ===========
>> *** schema_2.3.py       2015-02-26 09:56:39.741258600 +0100
>> --- schema_2.3_patched.py       2015-02-26 10:26:05.493253800 +0100
>> ***************
>> *** 35,40 ****
>> --- 35,41 ----
>>                                       is_positive_integer,
>>                                       boolean_validator,
>>                                       user_about_validator,
>> +                                    email_validator,
>> vocabulary_name_validator,
>> vocabulary_id_not_changed,
>>                                       vocabulary_id_exists,
>> ***************
>> *** 142,150 ****
>>            'name': [not_empty, unicode, name_validator,
>> package_name_validator],
>>            'title': [if_empty_same_as("name"), unicode],
>>            'author': [ignore_missing, unicode],
>> !         'author_email': [ignore_missing, unicode],
>>            'maintainer': [ignore_missing, unicode],
>> !         'maintainer_email': [ignore_missing, unicode],
>>            'license_id': [ignore_missing, unicode],
>>            'notes': [ignore_missing, unicode],
>>            'url': [ignore_missing, unicode],#, URL(add_http=False)],
>> --- 143,151 ----
>>            'name': [not_empty, unicode, name_validator,
>> package_name_validator],
>>            'title': [if_empty_same_as("name"), unicode],
>>            'author': [ignore_missing, unicode],
>> !         'author_email': [ignore_missing, email_validator, unicode],
>>            'maintainer': [ignore_missing, unicode],
>> !         'maintainer_email': [ignore_missing, email_validator, unicode],
>>            'license_id': [ignore_missing, unicode],
>>            'notes': [ignore_missing, unicode],
>>            'url': [ignore_missing, unicode],#, URL(add_http=False)],
>> ***************
>> *** 428,434 ****
>>            'name': [not_empty, name_validator, user_name_validator, unicode],
>>            'fullname': [ignore_missing, unicode],
>>            'password': [user_password_validator, user_password_not_empty,
>> ignore_missing, unicode],
>> !         'email': [not_empty, unicode],
>>            'about': [ignore_missing, user_about_validator, unicode],
>>            'created': [ignore],
>>            'openid': [ignore_missing],
>> --- 429,435 ----
>>            'name': [not_empty, name_validator, user_name_validator, unicode],
>>            'fullname': [ignore_missing, unicode],
>>            'password': [user_password_validator, user_password_not_empty,
>> ignore_missing, unicode],
>> !         'email': [not_empty, email_validator, unicode],
>>            'about': [ignore_missing, user_about_validator, unicode],
>>            'created': [ignore],
>>            'openid': [ignore_missing],
>> ***************
>> *** 473,479 ****
>>
>>    def default_user_invite_schema():
>>        schema = {
>> !         'email': [not_empty, unicode],
>>            'group_id': [not_empty],
>>            'role': [not_empty],
>>        }
>> --- 474,480 ----
>>
>>    def default_user_invite_schema():
>>        schema = {
>> !         'email': [not_empty, email_validator, unicode],
>>            'group_id': [not_empty],
>>            'role': [not_empty],
>>        }
>> =================== ckan/logic/schema.py ===========
>>
>> =================== ckan/logic/validators.py ===========
>> *** validators_2.3.py   2015-02-26 09:57:09.279948100 +0100
>> --- validators_2.3_patched.py   2015-02-26 10:28:37.267934800 +0100
>> ***************
>> *** 1,5 ****
>> --- 1,6 ----
>>    import collections
>>    import datetime
>> + from email.utils import parseaddr
>>    from itertools import count
>>    import re
>>    import mimetypes
>> ***************
>> *** 621,626 ****
>> --- 622,632 ----
>>
>>        return value
>>
>> + def email_validator(value,context):
>> +     if value and not '@' in parseaddr(value)[1]:
>> +         raise Invalid(_('Invalid mail address.'))
>> +     return value
>> +
>>    def vocabulary_name_validator(name, context):
>>        model = context['model']
>>        session = context['session']
>> =================== ckan/logic/validators.py ===========
>>
>> --
>> Joerg-Thomas Vogt
>>
>> yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
>> Tel +49 711 490 448 24, Fax +49 711 490 448 36
>> joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
>> Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
>> Sitz Stuttgart, AG Stuttgart, HRB 725115

-- 
Joerg-Thomas Vogt

yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
Tel +49 711 490 448 24, Fax +49 711 490 448 36
joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
Sitz Stuttgart, AG Stuttgart, HRB 725115



More information about the Security mailing list