[CKAN-Security] data modifications using GET

JD Bothma jd at openup.org.za
Mon May 14 13:40:07 UTC 2018 

Hi Andrià

I see this change has gone out in 2.7.4 - does that wrap up this issue or
is there still work in progress on it?

https://github.com/ckan/ckan/commit/8230cd07f306b079c97be75971197f286edc2aa5

Best
JD

On 20 April 2018 at 16:31, JD Bothma <jd at openup.org.za> wrote:

> Hi Andrià
>
> Thank you very much for the update.
>
> Best
> JD
>
> On 20 April 2018 at 16:19, Adrià Mercader <adria.mercader at okfn.org> wrote:
>
>> Hi JD,
>> Just a quick note to say that we are planning on working on a patch for
>> this next week and backports it to the next patch releases which should be
>> out hopefully in a couple of weeks with 2.8.
>>
>> Btw 2.8 is not affected by this.
>>
>> Have a great weekend
>>
>> Adrià
>>
>> On 12 Apr 2018 10:32 pm, "JD Bothma" <jd at openup.org.za> wrote:
>>
>> Thanks!
>>
>> JD
>>
>> On Thu, 12 Apr 2018, 22:23 Adrià Mercader, <adria.mercader at okfn.org>
>> wrote:
>>
>>>
>>> Many thanks for the report JD,
>>>
>>> We'll work out a plan to address this and patch it as soon as we can.
>>> We'll keep you posted.
>>>
>>> Adrià
>>>
>>>
>>> On Thu, 12 Apr 2018, 17:03 JD Bothma, <jd at openup.org.za> wrote:
>>>
>>>> Hi there
>>>>
>>>> Isn't it a serious security issue to allow data modification via GET
>>>> requests?
>>>>
>>>> e.g. curl -v 'https://data.vulekamali.gov.z
>>>> a/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%
>>>> 40openup.org.za&about=&old_password=&password1=&password2=&save=' -H
>>>> 'cookie:...' ...
>>>>
>>>> This changed my display name. Haven't checked if you can modify
>>>> datasets this way.
>>>>
>>>> Further, since GET is whitelisted this CSRF protection isn't effective
>>>> https://github.com/data-govt-nz/ckanext-security/b
>>>> lob/master/ckanext/security/middleware.py#L23
>>>>
>>>> Do you know of a way to stop modifications with GET other than
>>>> modifying the controllers? It looks like the same controllers are used for
>>>> GET and POST which means we can't just add method conditions in routing.py
>>>> https://thejimmyg.github.io/pylonsbook/en/1.0/url
>>>> s-routing-and-dispatch.html
>>>>
>>>> Best
>>>> JD
>>>> _______________________________________________
>>>> CKAN security
>>>> https://lists.okfn.org/mailman/listinfo/security
>>>> https://lists.okfn.org/mailman/options/security/adria.
>>>> mercader%40okfn.org
>>>>
>>>> Repo: https://github.com/ckan/ckan-security
>>>
>>>
>>
>
>
> --
> JD Bothma
> Software Developer
> OpenUp
> +27 (0)79 281 6737
> +27 (0)21 671 6306
>



-- 
JD Bothma
Software Developer
OpenUp
+27 (0)79 281 6737
+27 (0)21 671 6306
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180514/0ce9f6d0/attachment.html>

More information about the Security mailing list