Custom Query (2152 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (472 - 474 of 2152)

Ticket Resolution Summary Owner Reporter
#1057 fixed JSONP parameter isn't escaped dread

Reported by dread, 3 years ago.

Description
$ curl "http://127.0.0.1:5000/api/rest/package/annakarenina?callback=<script>jsoncallback"

gives:

<script>jsoncallback({"id": "c10ebd31-5b45-4f6f-885d-dca9b18caec4", "name": "annakarenina", "title": "A Novel By Tolstoy",

which could run script code in the client who made the call.

One idea for filtering: http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html Maybe just better to have a restricted whitelist of characters to be even more sure.

Same as: https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906

#1058 fixed Give 400 error (not 500) for invalid locale or package_form dread dread

Reported by dread, 3 years ago.

Description

Examples which prompt annoying exception emails:

http://ckan.net/locale?locale=ja
Module ckan.i18n:21 in set_session_locale
           assert locale in _KNOWN_LOCALES

A bot has caused these:

http://ca.ckan.net/package/new?package_form=gov
Module ckan.forms.registry:32 in get_fieldset
               raise ValueError('Could not find package_form name %r in those found: \n%r' % (package_form, [en.name for en in entrypoints]))
ValueError: Could not find package_form name u'gov)' in those found: ['gov', 'standard', 'ca']
#1059 fixed Loader coping better with poor search indexing dread dread

Reported by dread, 3 years ago.

Description

Loader currently checks for same name, but also should check for name_, name etc.

Note: See TracQuery for help on using queries.