description changed

rgrp — Mon, 28 Sep 2009 09:31:43 GMT

description modified (diff)

status changed; resolution set

dread — Thu, 01 Oct 2009 14:15:44 GMT

status changed from new to closed
resolution set to fixed

Found two security holes, both only in READ access (not write). Tickets raised for holes: ticket:132 - REST listing packages & groups ticket:133 - search package/group (WUI & REST)

Full details of files checked: $ find . -name "*.py" | xargs grep "import ckan.model" ./ckan/presentation.py:import ckan.model as model REMOVED - unused ./ckan/tests/functional/test_group_edit_authz.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_rest.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_package.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_user.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_tag.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_group.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_package_edit_authz.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_revision.py:import ckan.model as model - not runtime ./ckan/tests/functional/test_authz.py:import ckan.model as model - not runtime ./ckan/tests/test_search.py:import ckan.model as model - not runtime ./ckan/tests/models/test_package.py:import ckan.model as model - not runtime ./ckan/tests/models/test_user.py:import ckan.model as model - not runtime ./ckan/tests/models/test_group.py:import ckan.model as model - not runtime ./ckan/tests/models/test_extras.py:import ckan.model as model - not runtime ./ckan/tests/models/test_misc.py:import ckan.model as model - not runtime ./ckan/tests/models/test_authz.py:import ckan.model as model - not runtime ./ckan/tests/forms/test_package.py:import ckan.model as model - not runtime ./ckan/tests/forms/test_group.py:import ckan.model as model - not runtime ./ckan/tests/forms/test_authz.py:import ckan.model as model - not runtime ./ckan/tests/test_converter.py:import ckan.model as model - not runtime ./ckan/tests/getdata/test_data4nr.py:import ckan.model as model - not runtime ./ckan/tests/init__.py:import ckan.model as model - not runtime ./ckan/tests/test_authz.py:import ckan.model as model - not runtime ./ckan/tests/test_purge_revision.py:import ckan.model as model - not runtime ./ckan/forms/common.py:import ckan.model as model - just validator ./ckan/forms/package.py:import ckan.model as model - validator & package edits ./ckan/forms/group.py:import ckan.model as model - validate & package, wui & rest edits ./ckan/forms/authz.py:import ckan.model as model - package & group wui/rest ./ckan/controllers/rest.py:import ckan.model as model - HOLE ticket:132 - REST listing packages & groups ./ckan/controllers/base.py:import ckan.model as model - paginate filters out deleted ones ./ckan/migration/versions/005_add_authorization_tables.py:import ckan.model as model - not runtime ./ckan/getdata/data4nr.py:import ckan.model as model - not runtime ./ckan/lib/search.py:import ckan.model as model - HOLE ticket:133 - search package/group (WUI & REST) ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/cli.py: import ckan.model as model - not runtime ./ckan/lib/converter.py:import ckan.model - dumper, not runtime ./ckan/lib/base.py:import ckan.model as model - just a remove ./ckan/authz.py:import ckan.model as model - only gets roles ./bin/ckan_spam.py:import ckan.models as model - not runtime ./bin/ckan-correct.py:import ckan.models - not runtime ./test_migrate.py:import ckan.model as model - not runtime

CKAN: Ticket #120: Security audit

description changed

status changed; resolution set