[CKAN-Security] data modifications using GET
Adrià Mercader
adria.mercader at okfn.org
Thu Apr 12 20:23:36 UTC 2018
Many thanks for the report JD,
We'll work out a plan to address this and patch it as soon as we can. We'll
keep you posted.
Adrià
On Thu, 12 Apr 2018, 17:03 JD Bothma, <jd at openup.org.za> wrote:
> Hi there
>
> Isn't it a serious security issue to allow data modification via GET
> requests?
>
> e.g. curl -v '
> https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save=' -H
> 'cookie:...' ...
>
> This changed my display name. Haven't checked if you can modify datasets
> this way.
>
> Further, since GET is whitelisted this CSRF protection isn't effective
> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
>
> Do you know of a way to stop modifications with GET other than modifying
> the controllers? It looks like the same controllers are used for GET and
> POST which means we can't just add method conditions in routing.py
> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
>
> Best
> JD
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180412/c5e4fa2f/attachment-0001.html>
More information about the Security
mailing list