[CKAN-Security] data modifications using GET

• Previous message: [CKAN-Security] data modifications using GET
• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Let's plan this next Tuesday and see if we can get it patched on 2.8 and
the next patch releases.
I'm pretty sure that the package and group controllers check for the method
used but as you say Ian we need to do a full audit.

On Thu, 12 Apr 2018, 17:31 Ian Ward, <ian at excess.org> wrote:

> Yes, this one is very bad. There is some checking for POST in the
> package controller but it seems like almost every method does it
> differently.. We'll have to audit them all.
>
> On Thu, Apr 12, 2018 at 10:57 AM, JD Bothma <jd at openup.org.za> wrote:
> > Hi there
> >
> > Isn't it a serious security issue to allow data modification via GET
> > requests?
> >
> > e.g. curl -v
> > '
> https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save=
> '
> > -H 'cookie:...' ...
> >
> > This changed my display name. Haven't checked if you can modify datasets
> > this way.
> >
> > Further, since GET is whitelisted this CSRF protection isn't effective
> >
> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
> >
> > Do you know of a way to stop modifications with GET other than modifying
> the
> > controllers? It looks like the same controllers are used for GET and POST
> > which means we can't just add method conditions in routing.py
> >
> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
> >
> > Best
> > JD
> >
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/ian%40excess.org
> >
> > Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180412/f7cacee3/attachment-0001.html>

• Previous message: [CKAN-Security] data modifications using GET
• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]