Issue 5808

Title
file_open allows to open file outside trytond root
Priority
urgent
Status
resolved
Nosy list
ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
Assigned to
ced
Keywords
review

Created on 2016-08-20.10:25:56 by ced, last changed 50 months ago by ced.

Messages

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-31.12:28:10
News published.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-30.14:49:46
The releases have been published.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-25.19:55:30
Here is review32491003 for the announce.
Author: [hidden] (yangoon) Tryton translator
Date: 2016-08-23.10:10:14
Please use CVE-2016-1242 for this issue.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-20.15:25:04
All current maintained series.
Author: [hidden] (yangoon) Tryton translator
Date: 2016-08-20.12:46:37
I will request the CVE. Do we already know the affected versions?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-20.10:28:22
Here is review28691002
I think we could schedule security release with issue5795

@yangoon Could you get another CVE number for this one?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-20.10:25:56
I found that file_open does not sanitize the name against up-level reference.
This allows to open any file that trytond has read access.
I see one particular case where this could be used. It is the field 'name' on Report definition which represent the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read file outside trytond directory (or egg path).
This behaviour could be an issue on shared hosting environment where trytond's administrators are not the same as the host administrators.
History
Date User Action Args
2016-08-31 12:28:11cedsetstatus: testing -> resolved
messages: + msg28228
2016-08-30 14:49:46cedsetmessages: + msg28212
2016-08-25 19:55:31cedsetreviews: 28691002 -> 28691002,32491003
messages: + msg27996
2016-08-23 10:10:14yangoonsetmessages: + msg27883
2016-08-20 15:25:04cedsetmessages: + msg27833
2016-08-20 12:46:38yangoonsetmessages: + msg27830
2016-08-20 10:28:22cedsetstatus: in-progress -> testing
reviews: 28691002
messages: + msg27829
keyword: + review
2016-08-20 10:25:56cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)