ModelView.button fails to validate authorization.
The method ModelButton.get_groups doesn't search correctly for buttons.
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Cédric Krier added trytond + 1 deleted label
added trytond + 1 deleted label
- Author Owner
Please test patch at review478002
- Cédric Krier assigned to @ced
assigned to @ced
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Author Owner
I'm not completely sure if it is a security issue or not.
Because it just allow anyone to run buttons method but that it will succeed only
if the user has the access right on the models that the button will change. - Author Owner
@matb
I think we should request a CVE number via the Debian project for this issue.
Could you take this job? - Developer
CVE-2012-2238 was assigned by the Debian project.
- Author Owner
I plan to make the security release for 2.4 on Friday 7th September.
- Author Owner
I did not have time to do it today, let postpone the release to Monday 10.
- Author Owner
Fixed with rev 2c147ff136c7 and rev 279f0031b461
- Cédric Krier made the issue visible to everyone
made the issue visible to everyone
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier closed
closed
- Author Owner
Release done and post of the news scheduled for 2012-09-11 at 12:00 AM
- Cédric Krier made the issue confidential
made the issue confidential
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier reopened
reopened
- Cédric Krier made the issue visible to everyone
made the issue visible to everyone
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier closed
closed