The patch from #5808 (closed) did not sanitize all cases. Indeed there is a case where external file could be retrieved if they are stored in a folder next to trytond root starting with the same name but a suffix.
For example: '../trytond_suffix'.
Here is review33191002 that fix it.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items
0
No child items are currently assigned. Use child items to break down this issue into smaller parts.
Linked items
0
Link issues together to show that they're related.
Learn more.
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
> I think just like #5808 (closed), this one should trigger a security release.
>
> @yangoon could you request a CVE number?
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
> I think just like #5808 (closed), this one should trigger a security release.
>
> @yangoon could you request a CVE number?
>
> I propose this schedule:
>
> 2017-04-03 for release
> 2017-04-04 for news