[CKAN-Security] Private Package Leak

Tyler Kennedy tk at tkte.ch
Sun Mar 19 21:29:52 UTC 2017


There are a few different ways to get revision IDs, and you only need one
from any point in the package's history, since the ID to compare to can be
null (comparing the state at that time to nothing will always give you the
full package) which can be used to rebuild the package. Since the API
allows complete traversal it's pretty trivial to make a complete clone of
all packages including privates and drafts. We definitely need to get the
patch pushed out and backported.

I used 401 instead of 404 as that's what the RevisionController already
does (see `__init__`) and want to reduce behavior changes as much as
possible for backports.

On Mar 19, 2017 9:58 AM, "Ian Ward" <ian at excess.org> wrote:

> To exploit this you need the revision ids.. and those are being leaked
> out of the list method above :-(
>
> Yes this one is nasty.
>
> One small change: Let's abort with a 404 instead of a 401 to match the
> package controller's handling of NotAuthorized.
>
> On Wed, Mar 15, 2017 at 12:13 PM, Tyler Kennedy <tk at tkte.ch> wrote:
> > Hey all,
> >
> > The following git-patch can be used to quickly fix package leaks back to
> > CKAN v2.4 while keeping your current functionality.
> >
> > Thank you,
> > Tyler Kennedy
> >
> > From 5a01275cacb095f0fb557ae52bc54f854f5b4703 Mon Sep 17 00:00:00 2001
> > From: Tyler Kennedy <tk at tkte.ch>
> > Date: Wed, 15 Mar 2017 12:09:48 -0400
> > Subject: [PATCH] Package auth check on revision diffs.
> >
> > ---
> >  ckan/controllers/revision.py | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> >
> > diff --git a/ckan/controllers/revision.py b/ckan/controllers/revision.py
> > index 171d7db..9884cee 100644
> > --- a/ckan/controllers/revision.py
> > +++ b/ckan/controllers/revision.py
> > @@ -157,6 +157,15 @@ def diff(self, id=None):
> >
> >          c.diff_entity = request.params.get('diff_entity')
> >          if c.diff_entity == 'package':
> > +            try:
> > +                logic.check_access('package_show',  {
> > +                    'model': model,
> > +                    'user': c.user or c.author,
> > +                    'auth_user_obj': c.userobj
> > +                }, {'id': id})
> > +            except logic.NotAuthorized:
> > +                base.abort(401)
> > +
> >              c.pkg = model.Package.by_name(id)
> >              diff = c.pkg.diff(c.revision_to, c.revision_from)
> >          elif c.diff_entity == 'group':
> >
> >
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/ian%40excess.org
> >
> > Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170319/46535c4e/attachment-0001.html>


More information about the Security mailing list