[CKAN-Security] data modifications using GET
JD Bothma
jd at openup.org.za
Thu Apr 12 14:57:04 UTC 2018
Hi there
Isn't it a serious security issue to allow data modification via GET
requests?
e.g. curl -v '
https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save='
-H
'cookie:...' ...
This changed my display name. Haven't checked if you can modify datasets
this way.
Further, since GET is whitelisted this CSRF protection isn't effective
https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
Do you know of a way to stop modifications with GET other than modifying
the controllers? It looks like the same controllers are used for GET and
POST which means we can't just add method conditions in routing.py
https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
Best
JD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180412/191a8a37/attachment.html>
More information about the Security
mailing list