Directory loader can escape root directory

From https://discuss.tryton.org/t/uwsgi-is-vulnerable-to-a-directory-traversal-problem-on-2-0-19-1/3780. Our override of SharedDataMiddleware.get_directory_loader did include the usage of safe_join. So it is possible to escape the root directory.

assigned to @ced

added trytond + 1 deleted label

Here is review333851027. I keep a fallback on posixpath.join because we do not have a minimal version for werkzeug and safe_join was added in 0.7 only.

As the issue has been made public for a short time, I think we should accelerate the publication. I propose the 12/02/2021 at 10:00 CET.

Side note: I could not reproduce it when trytond is running behind a reverse-proxy like nginx

added 1 deleted label and removed 1 deleted label

I reproduced the issue when using a reverse-proxy like nginx so probably it depends on the setup. As we are just redirecting all requests to uwsgi it make sense for me that it's exploitable.

The propsed release schedule makes sense for me, indeed if it's possible to publish it sooner it will be great.

New changeset bdea3f9af35f by Cédric Krier in branch 'default':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/bdea3f9af35f

New changeset 351b776b15e1 by Cédric Krier in branch '5.8':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/351b776b15e1

New changeset 69ea25e4e4b5 by Cédric Krier in branch '5.6':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/69ea25e4e4b5

New changeset b210cd3452af by Cédric Krier in branch '5.0':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/b210cd3452af

made the issue visible to everyone

added 1 deleted label and removed 1 deleted label

closed

New changeset 572f104db848 by Cédric Krier in branch 'default':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/tryton-env/rev/572f104db848