Tryton - Issues



Title file_open allows to open file outside trytond root
Priority urgent Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 28691002,32491003
View: 28691002, 32491003

Created on 2016-08-20.10:25:56 by ced, last changed by ced.

msg28228 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-31.12:28:10
News published.
msg28212 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-30.14:49:46
The releases have been published.
msg27996 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-25.19:55:30
Here is review32491003 for the announce.
msg27883 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2016-08-23.10:10:14
Please use CVE-2016-1242 for this issue.
msg27833 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-20.15:25:04
All current maintained series.
msg27830 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2016-08-20.12:46:37
I will request the CVE. Do we already know the affected versions?
msg27829 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-20.10:28:22
Here is review28691002
I think we could schedule security release with issue5795

@yangoon Could you get another CVE number for this one?
msg27828 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-20.10:25:56
I found that file_open does not sanitize the name against up-level reference.
This allows to open any file that trytond has read access.
I see one particular case where this could be used. It is the field 'name' on Report definition which represent the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read file outside trytond directory (or egg path).
This behaviour could be an issue on shared hosting environment where trytond's administrators are not the same as the host administrators.
Date User Action Args
2016-08-31 12:28:11cedsetstatus: testing -> resolved
messages: + msg28228
2016-08-30 14:49:46cedsetmessages: + msg28212
2016-08-25 19:55:31cedsetreviews: 28691002 -> 28691002,32491003
messages: + msg27996
2016-08-23 10:10:14yangoonsetmessages: + msg27883
2016-08-20 15:25:04cedsetmessages: + msg27833
2016-08-20 12:46:38yangoonsetmessages: + msg27830
2016-08-20 10:28:22cedsetstatus: in-progress -> testing
reviews: 28691002
messages: + msg27829
keyword: + review
2016-08-20 10:25:56cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)