[CKAN-Security] Private Package Leak
Ian Ward
ian at excess.org
Sun Mar 19 13:58:42 UTC 2017
To exploit this you need the revision ids.. and those are being leaked
out of the list method above :-(
Yes this one is nasty.
One small change: Let's abort with a 404 instead of a 401 to match the
package controller's handling of NotAuthorized.
On Wed, Mar 15, 2017 at 12:13 PM, Tyler Kennedy <tk at tkte.ch> wrote:
> Hey all,
>
> The following git-patch can be used to quickly fix package leaks back to
> CKAN v2.4 while keeping your current functionality.
>
> Thank you,
> Tyler Kennedy
>
> From 5a01275cacb095f0fb557ae52bc54f854f5b4703 Mon Sep 17 00:00:00 2001
> From: Tyler Kennedy <tk at tkte.ch>
> Date: Wed, 15 Mar 2017 12:09:48 -0400
> Subject: [PATCH] Package auth check on revision diffs.
>
> ---
> ckan/controllers/revision.py | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/ckan/controllers/revision.py b/ckan/controllers/revision.py
> index 171d7db..9884cee 100644
> --- a/ckan/controllers/revision.py
> +++ b/ckan/controllers/revision.py
> @@ -157,6 +157,15 @@ def diff(self, id=None):
>
> c.diff_entity = request.params.get('diff_entity')
> if c.diff_entity == 'package':
> + try:
> + logic.check_access('package_show', {
> + 'model': model,
> + 'user': c.user or c.author,
> + 'auth_user_obj': c.userobj
> + }, {'id': id})
> + except logic.NotAuthorized:
> + base.abort(401)
> +
> c.pkg = model.Package.by_name(id)
> diff = c.pkg.diff(c.revision_to, c.revision_from)
> elif c.diff_entity == 'group':
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list