[CKAN-Security] Private Package Leak

Ian Ward ian at excess.org
Sun Mar 19 13:58:42 UTC 2017


To exploit this you need the revision ids.. and those are being leaked
out of the list method above :-(

Yes this one is nasty.

One small change: Let's abort with a 404 instead of a 401 to match the
package controller's handling of NotAuthorized.

On Wed, Mar 15, 2017 at 12:13 PM, Tyler Kennedy <tk at tkte.ch> wrote:
> Hey all,
>
> The following git-patch can be used to quickly fix package leaks back to
> CKAN v2.4 while keeping your current functionality.
>
> Thank you,
> Tyler Kennedy
>
> From 5a01275cacb095f0fb557ae52bc54f854f5b4703 Mon Sep 17 00:00:00 2001
> From: Tyler Kennedy <tk at tkte.ch>
> Date: Wed, 15 Mar 2017 12:09:48 -0400
> Subject: [PATCH] Package auth check on revision diffs.
>
> ---
>  ckan/controllers/revision.py | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/ckan/controllers/revision.py b/ckan/controllers/revision.py
> index 171d7db..9884cee 100644
> --- a/ckan/controllers/revision.py
> +++ b/ckan/controllers/revision.py
> @@ -157,6 +157,15 @@ def diff(self, id=None):
>
>          c.diff_entity = request.params.get('diff_entity')
>          if c.diff_entity == 'package':
> +            try:
> +                logic.check_access('package_show',  {
> +                    'model': model,
> +                    'user': c.user or c.author,
> +                    'auth_user_obj': c.userobj
> +                }, {'id': id})
> +            except logic.NotAuthorized:
> +                base.abort(401)
> +
>              c.pkg = model.Package.by_name(id)
>              diff = c.pkg.diff(c.revision_to, c.revision_from)
>          elif c.diff_entity == 'group':
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security



More information about the Security mailing list