Skip to content

CSRF tokens leaked in URL by canned query form

Moderate severity GitHub Reviewed Published Aug 9, 2020 in simonw/datasette • Updated Jan 9, 2023

Package

pip datasette (pip)

Affected versions

< 0.46

Patched versions

0.46

Description

Impact

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

Patches

A fix for this issue has been released in Datasette 0.46.

Workarounds

You can fix this issue in a Datasette instance without upgrading by copying the 0.46 query.html template into a custom templates/ directory and running Datasette with the --template-dir=templates/ option.

References

Issue 918 discusses this in details: simonw/datasette#918

For more information

Contact swillison at gmail with any questions.

References

@simonw simonw published to simonw/datasette Aug 9, 2020
Reviewed Aug 10, 2020
Published to the GitHub Advisory Database Aug 11, 2020
Last updated Jan 9, 2023

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-q6j3-c4wc-63vw

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.