<div dir="ltr"><div dir="ltr"><div dir="ltr">I'm not quite sure why you are identifying this as a security issue, could you please elaborate?<div><br></div><div>However, the outcome is a side effect of "django-tastypie" paginator log</div><div><br></div><div>see <a href="https://github.com/django-tastypie/django-tastypie/blob/master/tastypie/paginator.py#L56">https://github.com/django-tastypie/django-tastypie/blob/master/tastypie/paginator.py#L56</a></div><div><br></div><div>In order to avoid reporting used inputs on the error message, the quickest solution would be to make "ModelResource" classes using a custom paginator, as explained here</div><div><br></div><div><a href="https://django-tastypie.readthedocs.io/en/latest/paginator.html">https://django-tastypie.readthedocs.io/en/latest/paginator.html</a><br></div><div><br></div><div>In case you are not able to do that, please open an issue on GeoNode github.</div><div><br></div><div>Moreover, as a general suggestion:</div><div><br></div><div>1. Questions on technical issues must be sent to geonode-devel list and, in the case, they are identified as issues, in order to be taken into account they must be correctly explained on a github issue of GeoNode repository.</div><div><br></div><div>2. It is a very bad practice to report potential security issue publicly. That would be very risky for everyone running a GeoNode instance around, other than you. Next time, please, send private emails to the GeoNode PSC members.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno lun 1 ott 2018 alle ore 08:44 Naresh N <<a href="mailto:naresh919@gmail.com">naresh919@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Dear All,<div><br></div><div>We have used GeoNode for development of our portal SUVIDHA. As a part of security we have changed the parameter value <b> 'limit' </b>in following url to verify c<b>ross- site scripting attack.</b></div><div><br></div><div><b>Requested URL:</b></div><div><b><br></b></div><div><div><a href="http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&" target="_blank">http://bhuvan-suvidha.nrsc.gov.in/api/base/?limit=10&offset=0&title__icontains=&</a><b>limit=10'%22()%26%25<acx><ScRiPt%20>promp</b></div><div><b>t(971923)</ScRiPt></b>&offset=0&title__icontains=e&type__in=raster&undefined=undefined</div></div><div><br></div><div><b>Response for above URL:</b></div><div><b><br></b></div><div><b> </b><span style="color:rgb(0,0,0);white-space:pre-wrap">{"error": "Invalid limit '10'\"()&%<acx><ScRiPt >prompt(971923)</ScRiPt>' provided. Please provide a positive integer."}</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br></span></div><div><font color="#000000"><span style="white-space:pre-wrap">Although it is not accepted wrongly given input, but error message contains user given input in given format. As per cross site scripting when ever any meta characters( Special Characters) appears in url, </span><b style="white-space:pre-wrap">the application should encode the special characters. Since response not contained encoded user </b><span style="white-space:pre-wrap"><b>given</b></span><b style="white-space:pre-wrap"> input,So The given request treated as security alert for </b><span style="white-space:pre-wrap"><b>cross-site</b></span><b style="white-space:pre-wrap"> scripting attack</b></font></div><div><font color="#000000"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000"><span style="white-space:pre-wrap">Please help me how to make all GET Request parameters to encode before proceeding further steps</span></font></div><div><font color="#000000"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000"><span style="white-space:pre-wrap">Is that any setting is available for making all the requested GET parameters to encode in GeoNode /Django?</span></font></div><div><font color="#000000"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000"><span style="white-space:pre-wrap">Thanks&Regards,</span></font></div><div><font color="#000000"><span style="white-space:pre-wrap">Naresh</span></font></div></div></div>
_______________________________________________<br>
geonode-users mailing list<br>
<a href="mailto:geonode-users@lists.osgeo.org" target="_blank">geonode-users@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/geonode-users" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/geonode-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8px"><span><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;font-size:11pt;white-space:pre-wrap">==</span><br></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">GeoServer Professional Services from the experts! Visit <a href="http://goo.gl/it488V" target="_blank">http://goo.gl/it488V</a> for more information.</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">==</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Ing. Alessio Fabiani</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">@alfa7691</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Founder/Technical Lead</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">GeoSolutions S.A.S.</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Via di Montramito 3/A - </span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">55054 Massarosa (LU) - </span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Italy</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">phone: +39 0584 962313</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">fax: +39 0584 1660272</span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">mob: +39 331 6233686</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><a href="http://www.geo-solutions.it" target="_blank">http://www.geo-solutions.it</a></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><a href="http://twitter.com/geosolutions_it" target="_blank">http://twitter.com/geosolutions_it</a></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#222222;background-color:#ffffff;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">-------------------------------------------------------</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap">This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.</span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap"><br></span></p></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>