[CKAN-Security] data modifications using GET

• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there

Isn't it a serious security issue to allow data modification via GET
requests?

e.g. curl -v '
https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save='
-H
'cookie:...' ...

This changed my display name. Haven't checked if you can modify datasets
this way.

Further, since GET is whitelisted this CSRF protection isn't effective
https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23

Do you know of a way to stop modifications with GET other than modifying
the controllers? It looks like the same controllers are used for GET and
POST which means we can't just add method conditions in routing.py
https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html

Best
JD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180412/191a8a37/attachment.html>

• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]