Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize offset when listing group activity #2859

Closed
drmalex07 opened this issue Jan 30, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@drmalex07
Copy link
Contributor

commented Jan 30, 2016

This is a very minor problem, apart that it causes HTTP 500 errors where it should simply ignore the offset parameter (or reply with a HTTP 400). It happens at https://github.com/ckan/ckan/blob/master/ckan/controllers/group.py#L860 because offset is not validated and passed as-is to the action api function.

We have encountered this type of errors several times in our production site, since crawling robots insist on trying URLs like http://labs.geodata.gov.gr/group/activity/imagery-base-maps-earth-cover/None

The above is tested on CKAN 2.2, but seems to be exactly the same at the master branch.

@amercader amercader self-assigned this Feb 2, 2016

@amercader

This comment has been minimized.

Copy link
Member

commented Feb 2, 2016

You are right, we have a couple of these on some actions. The best thing is to add this decorator to the relevant action and try / except a ValidationError on the group controller.

Do you want to submit a small PR for this?

@drmalex07

This comment has been minimized.

Copy link
Contributor Author

commented Feb 2, 2016

That's ok, and is roughly what we've done in our fork to overcome it. I think the same problem also shows up in user activity lists (https://github.com/ckan/ckan/blob/master/ckan/controllers/user.py#L550).

So, i will return with a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.