Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE2ajMtYzR3Yy02M3Z3
CSRF tokens leaked in URL by canned query form
Impact
The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).
This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:
https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE
This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.
Patches
A fix for this issue has been released in Datasette 0.46.
Workarounds
You can fix this issue in a Datasette instance without upgrading by copying the 0.46 query.html template into a custom templates/ directory and running Datasette with the --template-dir=templates/ option.
References
Issue 918 discusses this in details: https://github.com/simonw/datasette/issues/918
For more information
Contact swillison at gmail with any questions.
Permalink: https://github.com/advisories/GHSA-q6j3-c4wc-63vwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE2ajMtYzR3Yy02M3Z3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-q6j3-c4wc-63vw
References:
- https://github.com/simonw/datasette/security/advisories/GHSA-q6j3-c4wc-63vw
- https://github.com/simonw/datasette/issues/918
- https://github.com/simonw/datasette/commit/7f10f0f7664d474c1be82bf668829e3b736a3d2b
- https://snyk.io/vuln/SNYK-PYTHON-DATASETTE-598229
- https://github.com/advisories/GHSA-q6j3-c4wc-63vw
Blast Radius: 10.6
Affected Packages
pypi:datasette
Dependent packages: 104Dependent repositories: 285
Downloads: 46,612 last month
Affected Version Ranges: < 0.46
Fixed in: 0.46
All affected versions: 0.22.1, 0.23.1, 0.23.2, 0.25.1, 0.25.2, 0.26.1, 0.26.2, 0.27.1, 0.29.1, 0.29.2, 0.29.3, 0.30.1, 0.30.2, 0.31.1, 0.31.2, 0.37.1
All unaffected versions: 0.47.1, 0.47.2, 0.47.3, 0.49.1, 0.50.1, 0.50.2, 0.51.1, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.54.1, 0.56.1, 0.57.1, 0.58.1, 0.59.1, 0.59.2, 0.59.3, 0.59.4, 0.60.1, 0.60.2, 0.61.1, 0.63.1, 0.63.2, 0.63.3, 0.64.1, 0.64.2, 0.64.3, 0.64.4, 0.64.5, 0.64.6