[CKAN-Security] data modifications using GET

JD Bothma jd at openup.org.za
Fri Apr 20 14:31:43 UTC 2018 

Hi Andrià

Thank you very much for the update.

Best
JD

On 20 April 2018 at 16:19, Adrià Mercader <adria.mercader at okfn.org> wrote:

> Hi JD,
> Just a quick note to say that we are planning on working on a patch for
> this next week and backports it to the next patch releases which should be
> out hopefully in a couple of weeks with 2.8.
>
> Btw 2.8 is not affected by this.
>
> Have a great weekend
>
> Adrià
>
> On 12 Apr 2018 10:32 pm, "JD Bothma" <jd at openup.org.za> wrote:
>
> Thanks!
>
> JD
>
> On Thu, 12 Apr 2018, 22:23 Adrià Mercader, <adria.mercader at okfn.org>
> wrote:
>
>>
>> Many thanks for the report JD,
>>
>> We'll work out a plan to address this and patch it as soon as we can.
>> We'll keep you posted.
>>
>> Adrià
>>
>>
>> On Thu, 12 Apr 2018, 17:03 JD Bothma, <jd at openup.org.za> wrote:
>>
>>> Hi there
>>>
>>> Isn't it a serious security issue to allow data modification via GET
>>> requests?
>>>
>>> e.g. curl -v 'https://data.vulekamali.gov.za/user/edit/jd?name=jd&
>>> fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_
>>> password=&password1=&password2=&save=' -H 'cookie:...' ...
>>>
>>> This changed my display name. Haven't checked if you can modify datasets
>>> this way.
>>>
>>> Further, since GET is whitelisted this CSRF protection isn't effective
>>> https://github.com/data-govt-nz/ckanext-security/
>>> blob/master/ckanext/security/middleware.py#L23
>>>
>>> Do you know of a way to stop modifications with GET other than modifying
>>> the controllers? It looks like the same controllers are used for GET and
>>> POST which means we can't just add method conditions in routing.py
>>> https://thejimmyg.github.io/pylonsbook/en/1.0/
>>> urls-routing-and-dispatch.html
>>>
>>> Best
>>> JD
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/
>>> adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>
>>
>


-- 
JD Bothma
Software Developer
OpenUp
+27 (0)79 281 6737
+27 (0)21 671 6306
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180420/1d333553/attachment-0001.html>

More information about the Security mailing list