Here is review333851027. I keep a fallback on posixpath.join because we do not have a minimal version for werkzeug and safe_join was added in 0.7 only.
As the issue has been made public for a short time, I think we should accelerate the publication. I propose the 12/02/2021 at 10:00 CET.
Side note: I could not reproduce it when trytond is running behind a reverse-proxy like nginx
Cédric Krieradded 1 deleted label and removed 1 deleted label
I reproduced the issue when using a reverse-proxy like nginx so probably it depends on the setup. As we are just redirecting all requests to uwsgi it make sense for me that it's exploitable.
The propsed release schedule makes sense for me, indeed if it's possible to publish it sooner it will be great.