[CKAN-Security] data modifications using GET

Fri Apr 20 14:19:52 UTC 2018

Hi JD,
Just a quick note to say that we are planning on working on a patch for
this next week and backports it to the next patch releases which should be
out hopefully in a couple of weeks with 2.8.

Btw 2.8 is not affected by this.

Have a great weekend

Adrià

On 12 Apr 2018 10:32 pm, "JD Bothma" <jd at openup.org.za> wrote:

Thanks!

JD

On Thu, 12 Apr 2018, 22:23 Adrià Mercader, <adria.mercader at okfn.org> wrote:

>
> Many thanks for the report JD,
>
> We'll work out a plan to address this and patch it as soon as we can.
> We'll keep you posted.
>
> Adrià
>
>
> On Thu, 12 Apr 2018, 17:03 JD Bothma, <jd at openup.org.za> wrote:
>
>> Hi there
>>
>> Isn't it a serious security issue to allow data modification via GET
>> requests?
>>
>> e.g. curl -v '
>> https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save=' -H
>> 'cookie:...' ...
>>
>> This changed my display name. Haven't checked if you can modify datasets
>> this way.
>>
>> Further, since GET is whitelisted this CSRF protection isn't effective
>> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
>>
>> Do you know of a way to stop modifications with GET other than modifying
>> the controllers? It looks like the same controllers are used for GET and
>> POST which means we can't just add method conditions in routing.py
>> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
>>
>> Best
>> JD
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180420/c0155f36/attachment-0001.html>