-
-
Notifications
You must be signed in to change notification settings - Fork 677
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: read-only canned queries leak CSRF token in URL #918
Comments
Fix has been released in Datasette 0.46: https://datasette.readthedocs.io/en/latest/changelog.html#v0-46 |
It's worth noting that in order to exploit this issue the following would all need to be true:
The attacker would need full knowledge of the URL and form layout of the Datasette instance that they are exploiting. |
Submitting the form on https://latest.datasette.io/fixtures/neighborhood_search demonstrates that this is fixed. |
GitHub security advisory: GHSA-q6j3-c4wc-63vw |
The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).
This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:
https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=IlFubnoxVVpLU1NGT3NMVUoi.HbOPd2YH_epQmp8f_aAt0s-MxtU
This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.
The text was updated successfully, but these errors were encountered: