[CKAN-Security] Private Package Leak

Wed Mar 15 16:13:39 UTC 2017

Hey all,

The following git-patch can be used to quickly fix package leaks back to
CKAN v2.4 while keeping your current functionality.

Thank you,
Tyler Kennedy

>From 5a01275cacb095f0fb557ae52bc54f854f5b4703 Mon Sep 17 00:00:00 2001
From: Tyler Kennedy <tk at tkte.ch>
Date: Wed, 15 Mar 2017 12:09:48 -0400
Subject: [PATCH] Package auth check on revision diffs.

---
 ckan/controllers/revision.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ckan/controllers/revision.py b/ckan/controllers/revision.py
index 171d7db..9884cee 100644
--- a/ckan/controllers/revision.py
+++ b/ckan/controllers/revision.py
@@ -157,6 +157,15 @@ def diff(self, id=None):

         c.diff_entity = request.params.get('diff_entity')
         if c.diff_entity == 'package':
+            try:
+                logic.check_access('package_show',  {
+                    'model': model,
+                    'user': c.user or c.author,
+                    'auth_user_obj': c.userobj
+                }, {'id': id})
+            except logic.NotAuthorized:
+                base.abort(401)
+
             c.pkg = model.Package.by_name(id)
             diff = c.pkg.diff(c.revision_to, c.revision_from)
         elif c.diff_entity == 'group':
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170315/b1f60d9a/attachment.html>
