Created on 2021-02-08.10:20:48 by ced, last changed 1 month ago by roundup-bot.
New changeset 572f104db848 by Cédric Krier in branch 'default': Use safe_join in SharedDataMiddlewareIndex https://hg.tryton.org/tryton-env/rev/572f104db848
New changeset bdea3f9af35f by Cédric Krier in branch 'default': Use safe_join in SharedDataMiddlewareIndex https://hg.tryton.org/trytond/rev/bdea3f9af35f New changeset 351b776b15e1 by Cédric Krier in branch '5.8': Use safe_join in SharedDataMiddlewareIndex https://hg.tryton.org/trytond/rev/351b776b15e1 New changeset 69ea25e4e4b5 by Cédric Krier in branch '5.6': Use safe_join in SharedDataMiddlewareIndex https://hg.tryton.org/trytond/rev/69ea25e4e4b5 New changeset b210cd3452af by Cédric Krier in branch '5.0': Use safe_join in SharedDataMiddlewareIndex https://hg.tryton.org/trytond/rev/b210cd3452af
I reproduced the issue when using a reverse-proxy like nginx so probably it depends on the setup. As we are just redirecting all requests to uwsgi it make sense for me that it's exploitable.
The propsed release schedule makes sense for me, indeed if it's possible to publish it sooner it will be great.
Here is review333851027. I keep a fallback on posixpath.join because we do not have a minimal version for werkzeug and safe_join was added in 0.7 only.
As the issue has been made public for a short time, I think we should accelerate the publication. I propose the 12/02/2021 at 10:00 CET.
Side note: I could not reproduce it when trytond is running behind a reverse-proxy like nginx
Our override of
SharedDataMiddleware.get_directory_loader did include the usage of <code>safe_join</code>. So it is possible to escape the root directory.
|2021-02-12 10:22:07||roundup-bot||set||messages: + msg64490|
status: testing -> resolved
|2021-02-09 18:34:48||pokoli||set||messages: + msg64426|
messages: + msg64361
status: in-progress -> testing