CSRF tokens leaked in URL by canned query form

Impact

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

Patches

A fix for this issue has been released in Datasette 0.46.

Workarounds

You can fix this issue in a Datasette instance without upgrading by copying the 0.46 query.html template into a custom templates/ directory and running Datasette with the --template-dir=templates/ option.

References

Issue 918 discusses this in details: https://github.com/simonw/datasette/issues/918

For more information

Contact swillison at gmail with any questions.

Published: Aug 11, 2020
Updated: Apr 14, 2023
GHSA: GHSA-q6j3-c4wc-63vw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
datasette	-	0.46

Vulnerability Database