Issue 5808
- Title
- file_open allows to open file outside trytond root
- Priority
- urgent
- Status
- resolved
- Nosy list
- ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
- Assigned to
- ced
- Keywords
- review
Created on 2016-08-20.10:25:56 by ced, last changed 56 months ago by ced.
Messages
News published.
The releases have been published.
Here is review32491003 for the announce.
Please use CVE-2016-1242 for this issue.
All current maintained series.
I will request the CVE. Do we already know the affected versions?
Here is review28691002 I think we could schedule security release with issue5795 @yangoon Could you get another CVE number for this one?
I found that file_open does not sanitize the name against up-level reference. This allows to open any file that trytond has read access. I see one particular case where this could be used. It is the field 'name' on Report definition which represent the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read file outside trytond directory (or egg path). This behaviour could be an issue on shared hosting environment where trytond's administrators are not the same as the host administrators.
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2016-08-31 12:28:11 | ced | set | status: testing -> resolved messages: + msg28228 |
| 2016-08-30 14:49:46 | ced | set | messages: + msg28212 |
| 2016-08-25 19:55:31 | ced | set | reviews: 28691002 -> 28691002,32491003 messages: + msg27996 |
| 2016-08-23 10:10:14 | yangoon | set | messages: + msg27883 |
| 2016-08-20 15:25:04 | ced | set | messages: + msg27833 |
| 2016-08-20 12:46:38 | yangoon | set | messages: + msg27830 |
| 2016-08-20 10:28:22 | ced | set | status: in-progress -> testing reviews: 28691002 messages: + msg27829 keyword: + review |
| 2016-08-20 10:25:56 | ced | create | |
Showing 10 items. Show all history (warning: this could be VERY long)