Tryton - Issues

 

Issue2757

Title ModelView.button fails to validate authorization.
Priority critical Status resolved
Superseder Nosy List ajacoutot, bch, ced, daniel, nicoe, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords
Reviews

Created on 2012-08-17.17:25:09 by ced, last changed by ced.

Messages
msg11463 (view) Author: [hidden] (sharkcz) Date: 2012-09-11.14:31:26
update submitted in Fedora -
https://admin.fedoraproject.org/updates/trytond-2.4.2-1.fc18
msg11462 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-09-11.14:25:47
tryton-server (2.4.2-1) uploaded to Debian experimental
msg11457 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-09-10.18:18:33
Release done and post of the news scheduled for 2012-09-11 at 12:00 AM
msg11456 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-09-10.18:03:45
Fixed with rev 2c147ff136c7 and rev 279f0031b461
msg11444 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-09-07.20:34:07
I did not have time to do it today, let postpone the release to Monday 10.
msg11423 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-08-31.16:56:44
I plan to make the security release for 2.4 on Friday 7th September.
msg11413 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-08-29.20:05:30
CVE-2012-2238 was assigned by the Debian project.
msg11404 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-08-25.10:54:30
@matb
I think we should request a CVE number via the Debian project for this issue.
Could you take this job?
msg11383 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-08-17.17:35:55
I'm not completely sure if it is a security issue or not.
Because it just allow anyone to run buttons method but that it will succeed only
if the user has the access right on the models that the button will change.
msg11382 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-08-17.17:27:11
Please test patch at review478002
msg11381 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-08-17.17:25:08
The method ModelButton.get_groups doesn't search correctly for buttons.
History
Date User Action Args
2012-09-13 11:49:47cedsetstatus: chatting -> resolved
2012-09-11 14:31:26sharkczsetmessages: + msg11463
2012-09-11 14:25:47yangoonsetstatus: resolved -> chatting
messages: + msg11462
2012-09-11 10:00:28cedsetstatus: chatting -> resolved
2012-09-10 18:18:34cedsetstatus: resolved -> chatting
messages: + msg11457
2012-09-10 18:03:45cedsetstatus: testing -> resolved
messages: + msg11456
2012-09-07 20:34:07cedsetmessages: + msg11444
2012-08-31 16:56:45cedsetmessages: + msg11423
2012-08-29 20:05:30yangoonsetmessages: + msg11413
2012-08-27 17:23:22cedsetnosy: + sharkcz

Showing 10 items. Show all history (warning: this could be VERY long)