[CKAN-Security] Security post from joerg-thomas.vogt at yourdata.de requires approval

Ian Ward ian at excess.org
Fri Mar 20 19:05:34 UTC 2015 

Hi Thomas,

I'm assigned to look at that. I'll be writing a new helper for the
templates, probably early next week.

Ian

On Fri, Mar 20, 2015 at 10:05 AM, Jörg-Thomas Vogt
<joerg-thomas.vogt at yourdata.de> wrote:
> Adrià,
>
> thanks for the fix #2319!
> Any news about the XSS issue with email fields ?
> May be it's fixed as well but I can't find it the changelog of 2.3.
>
> Many thanks and kind regards
>
> Thomas
>
>
> Am 26.02.2015 um 18:32 schrieb Adrià Mercader:
>
>> Thanks for this Thomas, we'll discuss on the next dev meeting and come
>> back to you.
>>
>> BTW the other issue you reported (XSS on CSV previews) has been fixed
>> and backported and will be available on the next patch release:
>>
>> https://github.com/ckan/ckan/pull/2319
>>
>> The other regarding the text preview is a bit more tricky to solve as
>> we can not guarantee a proper rendering and stripping all potentially
>> dangerous tags at the same time. I'd suggest not enabling the
>> text_view extension unless you trust the sources of the files rendered
>> for now.
>>
>> Thanks,
>>
>> Adrià
>>
>>
>> On 26 February 2015 at 17:10, Rufus Pollock <rufus.pollock at okfn.org>
>> wrote:
>>>
>>> ---------- Forwarded message ----------
>>> From: "Jörg-Thomas Vogt" <joerg-thomas.vogt at yourdata.de>
>>> To: security at ckan.org
>>> Cc:
>>> Date: Thu, 26 Feb 2015 11:03:28 +0100
>>> Subject: cross-site scriping issue with email fields
>>> Hello everybody,
>>>
>>> I'm using CKAN 2.2.1 and evaluating CKAN 2.3.
>>> A penetration test raised the following issue:
>>>
>>> after specifying the following code e.g. in the author or maintainer
>>> email
>>> field for a resource
>>>
>>> "><script>alert(document.cookie)</script>
>>>
>>> this code will be executed after navigating to the resource (opening a
>>> popup
>>> with cookie informations).
>>> Putting above code into the field for maintainer name or author name does
>>> not lead to
>>> code execution.
>>>
>>> I'm neither a CKAN expert nor a python developer but I suggest to check
>>> at
>>> least the email
>>> fields for proper addresses.
>>>
>>> I've added some code to ckan/logic/schema.py and ckan/logic/validators.py
>>> to
>>> perform some
>>> basic checks. After these modifications it's not possible anymore to
>>> provide
>>> above script code
>>> in an email field but I'm not sure whether the code will cover all
>>> possible
>>> XSS attacks.
>>>
>>> Kind regards
>>>
>>> Thomas
>>>
>>>
>>> =================== ckan/logic/schema.py ===========
>>> *** schema_2.3.py       2015-02-26 09:56:39.741258600 +0100
>>> --- schema_2.3_patched.py       2015-02-26 10:26:05.493253800 +0100
>>> ***************
>>> *** 35,40 ****
>>> --- 35,41 ----
>>>                                       is_positive_integer,
>>>                                       boolean_validator,
>>>                                       user_about_validator,
>>> +                                    email_validator,
>>> vocabulary_name_validator,
>>> vocabulary_id_not_changed,
>>>                                       vocabulary_id_exists,
>>> ***************
>>> *** 142,150 ****
>>>            'name': [not_empty, unicode, name_validator,
>>> package_name_validator],
>>>            'title': [if_empty_same_as("name"), unicode],
>>>            'author': [ignore_missing, unicode],
>>> !         'author_email': [ignore_missing, unicode],
>>>            'maintainer': [ignore_missing, unicode],
>>> !         'maintainer_email': [ignore_missing, unicode],
>>>            'license_id': [ignore_missing, unicode],
>>>            'notes': [ignore_missing, unicode],
>>>            'url': [ignore_missing, unicode],#, URL(add_http=False)],
>>> --- 143,151 ----
>>>            'name': [not_empty, unicode, name_validator,
>>> package_name_validator],
>>>            'title': [if_empty_same_as("name"), unicode],
>>>            'author': [ignore_missing, unicode],
>>> !         'author_email': [ignore_missing, email_validator, unicode],
>>>            'maintainer': [ignore_missing, unicode],
>>> !         'maintainer_email': [ignore_missing, email_validator, unicode],
>>>            'license_id': [ignore_missing, unicode],
>>>            'notes': [ignore_missing, unicode],
>>>            'url': [ignore_missing, unicode],#, URL(add_http=False)],
>>> ***************
>>> *** 428,434 ****
>>>            'name': [not_empty, name_validator, user_name_validator,
>>> unicode],
>>>            'fullname': [ignore_missing, unicode],
>>>            'password': [user_password_validator, user_password_not_empty,
>>> ignore_missing, unicode],
>>> !         'email': [not_empty, unicode],
>>>            'about': [ignore_missing, user_about_validator, unicode],
>>>            'created': [ignore],
>>>            'openid': [ignore_missing],
>>> --- 429,435 ----
>>>            'name': [not_empty, name_validator, user_name_validator,
>>> unicode],
>>>            'fullname': [ignore_missing, unicode],
>>>            'password': [user_password_validator, user_password_not_empty,
>>> ignore_missing, unicode],
>>> !         'email': [not_empty, email_validator, unicode],
>>>            'about': [ignore_missing, user_about_validator, unicode],
>>>            'created': [ignore],
>>>            'openid': [ignore_missing],
>>> ***************
>>> *** 473,479 ****
>>>
>>>    def default_user_invite_schema():
>>>        schema = {
>>> !         'email': [not_empty, unicode],
>>>            'group_id': [not_empty],
>>>            'role': [not_empty],
>>>        }
>>> --- 474,480 ----
>>>
>>>    def default_user_invite_schema():
>>>        schema = {
>>> !         'email': [not_empty, email_validator, unicode],
>>>            'group_id': [not_empty],
>>>            'role': [not_empty],
>>>        }
>>> =================== ckan/logic/schema.py ===========
>>>
>>> =================== ckan/logic/validators.py ===========
>>> *** validators_2.3.py   2015-02-26 09:57:09.279948100 +0100
>>> --- validators_2.3_patched.py   2015-02-26 10:28:37.267934800 +0100
>>> ***************
>>> *** 1,5 ****
>>> --- 1,6 ----
>>>    import collections
>>>    import datetime
>>> + from email.utils import parseaddr
>>>    from itertools import count
>>>    import re
>>>    import mimetypes
>>> ***************
>>> *** 621,626 ****
>>> --- 622,632 ----
>>>
>>>        return value
>>>
>>> + def email_validator(value,context):
>>> +     if value and not '@' in parseaddr(value)[1]:
>>> +         raise Invalid(_('Invalid mail address.'))
>>> +     return value
>>> +
>>>    def vocabulary_name_validator(name, context):
>>>        model = context['model']
>>>        session = context['session']
>>> =================== ckan/logic/validators.py ===========
>>>
>>> --
>>> Joerg-Thomas Vogt
>>>
>>> yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
>>> Tel +49 711 490 448 24, Fax +49 711 490 448 36
>>> joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
>>> Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
>>> Sitz Stuttgart, AG Stuttgart, HRB 725115
>
>
> --
> Joerg-Thomas Vogt
>
> yourdata GmbH, Büchsenstr. 28, 70174 Stuttgart
> Tel +49 711 490 448 24, Fax +49 711 490 448 36
> joerg-thomas.vogt at yourdata.de, http://www.yourdata.de/
> Geschäftsführer: Jörg Vogler, Dr. Markus Eberspächer
> Sitz Stuttgart, AG Stuttgart, HRB 725115
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security

More information about the Security mailing list