[CKAN-Security] data modifications using GET
Ian Ward
ian at excess.org
Thu Apr 12 15:31:39 UTC 2018
Yes, this one is very bad. There is some checking for POST in the
package controller but it seems like almost every method does it
differently.. We'll have to audit them all.
On Thu, Apr 12, 2018 at 10:57 AM, JD Bothma <jd at openup.org.za> wrote:
> Hi there
>
> Isn't it a serious security issue to allow data modification via GET
> requests?
>
> e.g. curl -v
> 'https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save='
> -H 'cookie:...' ...
>
> This changed my display name. Haven't checked if you can modify datasets
> this way.
>
> Further, since GET is whitelisted this CSRF protection isn't effective
> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
>
> Do you know of a way to stop modifications with GET other than modifying the
> controllers? It looks like the same controllers are used for GET and POST
> which means we can't just add method conditions in routing.py
> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
>
> Best
> JD
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list