Ticket #1057 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

JSONP parameter isn't escaped

Reported by: dread Owned by:
Priority: critical Milestone:
Component: ckan Keywords:
Cc: Repository: ckan
Theme: none

Description 

$ curl "http://127.0.0.1:5000/api/rest/package/annakarenina?callback=<script>jsoncallback"

gives: 

<script>jsoncallback({"id": "c10ebd31-5b45-4f6f-885d-dca9b18caec4", "name": "annakarenina", "title": "A Novel By Tolstoy",

which could run script code in the client who made the call.

One idea for filtering: http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html Maybe just better to have a restricted whitelist of characters to be even more sure.

Same as: https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906

Change History

comment:1 Changed 2 years ago by toby

  • Status changed from new to closed
  • Resolution set to fixed

fixed in commit 3d7cbf0

Note: See TracTickets for help on using tickets.