{"html_url": "https://github.com/simonw/datasette/issues/918#issuecomment-671075764", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/918", "id": 671075764, "node_id": "MDEyOklzc3VlQ29tbWVudDY3MTA3NTc2NA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-08-09T16:56:48Z", "updated_at": "2020-08-09T16:56:48Z", "author_association": "OWNER", "body": "GitHub security advisory: https://github.com/simonw/datasette/security/advisories/GHSA-q6j3-c4wc-63vw", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 675724951, "label": "Security issue: read-only canned queries leak CSRF token in URL"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/918#issuecomment-671071710", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/918", "id": 671071710, "node_id": "MDEyOklzc3VlQ29tbWVudDY3MTA3MTcxMA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-08-09T16:21:41Z", "updated_at": "2020-08-09T16:21:41Z", "author_association": "OWNER", "body": "Submitting the form on https://latest.datasette.io/fixtures/neighborhood_search demonstrates that this is fixed.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 675724951, "label": "Security issue: read-only canned queries leak CSRF token in URL"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/918#issuecomment-671070528", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/918", "id": 671070528, "node_id": "MDEyOklzc3VlQ29tbWVudDY3MTA3MDUyOA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-08-09T16:12:16Z", "updated_at": "2020-08-09T16:12:16Z", "author_association": "OWNER", "body": "It's worth noting that in order to exploit this issue the following would all need to be true:\r\n\r\n- A user is running a copy of Datasette protected by a cookie-based authentication plugin AND configured with at least one writable canned query\r\n- An attacker is in control of a URL that could concievably be returned on a page that is displayed as the result of submitting a read-only canned query\r\n- An authenticated user of that Datasette instance, who is running a browser that doesn't support the `SameSite=lax` cookie parameter (which is [widely supported](https://caniuse.com/#feat=same-site-cookie-attribute) by modern browsers), submits the read-only canned query form and then clicks a link to the attacker's off-site page, exposing their CSRFToken in the attacker's HTTP referer logs\r\n- The attacker then tricks that user into visiting their own malicious web page which includes a POST form that auto-submits against the writable canned query that the attacker wishes to exploit, including the CSRF token as a hidden field\r\n\r\nThe attacker would need full knowledge of the URL and form layout of the Datasette instance that they are exploiting.\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 675724951, "label": "Security issue: read-only canned queries leak CSRF token in URL"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/918#issuecomment-671070486", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/918", "id": 671070486, "node_id": "MDEyOklzc3VlQ29tbWVudDY3MTA3MDQ4Ng==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-08-09T16:11:59Z", "updated_at": "2020-08-09T16:11:59Z", "author_association": "OWNER", "body": "Fix has been released in Datasette 0.46: https://datasette.readthedocs.io/en/latest/changelog.html#v0-46", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 675724951, "label": "Security issue: read-only canned queries leak CSRF token in URL"}, "performed_via_github_app": null}