[CKAN-Security] data modifications using GET

Adrià Mercader adria.mercader at okfn.org
Tue May 15 11:37:29 UTC 2018


Hi JD,

Sorry, I forgot to ping you about this. Yes, this addresses the issue
in full as far as we are aware.

Adrià


On 14 May 2018 at 15:40, JD Bothma <jd at openup.org.za> wrote:
> Hi Andrià
>
> I see this change has gone out in 2.7.4 - does that wrap up this issue or is
> there still work in progress on it?
>
> https://github.com/ckan/ckan/commit/8230cd07f306b079c97be75971197f286edc2aa5
>
> Best
> JD
>
> On 20 April 2018 at 16:31, JD Bothma <jd at openup.org.za> wrote:
>>
>> Hi Andrià
>>
>> Thank you very much for the update.
>>
>> Best
>> JD
>>
>> On 20 April 2018 at 16:19, Adrià Mercader <adria.mercader at okfn.org> wrote:
>>>
>>> Hi JD,
>>> Just a quick note to say that we are planning on working on a patch for
>>> this next week and backports it to the next patch releases which should be
>>> out hopefully in a couple of weeks with 2.8.
>>>
>>> Btw 2.8 is not affected by this.
>>>
>>> Have a great weekend
>>>
>>> Adrià
>>>
>>> On 12 Apr 2018 10:32 pm, "JD Bothma" <jd at openup.org.za> wrote:
>>>
>>> Thanks!
>>>
>>> JD
>>>
>>> On Thu, 12 Apr 2018, 22:23 Adrià Mercader, <adria.mercader at okfn.org>
>>> wrote:
>>>>
>>>>
>>>> Many thanks for the report JD,
>>>>
>>>> We'll work out a plan to address this and patch it as soon as we can.
>>>> We'll keep you posted.
>>>>
>>>> Adrià
>>>>
>>>>
>>>> On Thu, 12 Apr 2018, 17:03 JD Bothma, <jd at openup.org.za> wrote:
>>>>>
>>>>> Hi there
>>>>>
>>>>> Isn't it a serious security issue to allow data modification via GET
>>>>> requests?
>>>>>
>>>>> e.g. curl -v
>>>>> 'https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save='
>>>>> -H 'cookie:...' ...
>>>>>
>>>>> This changed my display name. Haven't checked if you can modify
>>>>> datasets this way.
>>>>>
>>>>> Further, since GET is whitelisted this CSRF protection isn't effective
>>>>> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
>>>>>
>>>>> Do you know of a way to stop modifications with GET other than
>>>>> modifying the controllers? It looks like the same controllers are used for
>>>>> GET and POST which means we can't just add method conditions in routing.py
>>>>> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
>>>>>
>>>>> Best
>>>>> JD
>>>>> _______________________________________________
>>>>> CKAN security
>>>>> https://lists.okfn.org/mailman/listinfo/security
>>>>>
>>>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>>>
>>>>> Repo: https://github.com/ckan/ckan-security
>>>
>>>
>>
>>
>>
>> --
>> JD Bothma
>> Software Developer
>> OpenUp
>> +27 (0)79 281 6737
>> +27 (0)21 671 6306
>
>
>
>
> --
> JD Bothma
> Software Developer
> OpenUp
> +27 (0)79 281 6737
> +27 (0)21 671 6306



More information about the Security mailing list