[CKAN-Security] data modifications using GET
jd at openup.org.za
Thu Apr 12 14:57:04 UTC 2018
Isn't it a serious security issue to allow data modification via GET
e.g. curl -v '
This changed my display name. Haven't checked if you can modify datasets
Further, since GET is whitelisted this CSRF protection isn't effective
Do you know of a way to stop modifications with GET other than modifying
the controllers? It looks like the same controllers are used for GET and
POST which means we can't just add method conditions in routing.py
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security