file_open does not sanitize all cases

The patch from #5808 (closed) did not sanitize all cases. Indeed there is a case where external file could be retrieved if they are stored in a folder next to trytond root starting with the same name but a suffix.
For example: '../trytond_suffix'.
Here is review33191002 that fix it.

assigned to @ced

added trytond + 1 deleted label

added 1 deleted label and removed 1 deleted label

Do you think it deserves a CVE and security release?

I think just like #5808 (closed), this one should trigger a security release.

@yangoon could you request a CVE number?

I propose this schedule:

2017-04-03 for release
2017-04-04 for news

> Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
> I think just like #5808 (closed), this one should trigger a security release.
>
> @yangoon could you request a CVE number?

CVE requested.

> Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
> I think just like #5808 (closed), this one should trigger a security release.
>
> @yangoon could you request a CVE number?
>
> I propose this schedule:
>
> 2017-04-03 for release
> 2017-04-04 for news

Please use CVE-2017-0360.

Time schedule agreed.

made the issue visible to everyone

added 1 deleted label and removed 1 deleted label

closed

New changeset c4ac6ad3570d by C?dric Krier in branch 'default':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/c4ac6ad3570d

New changeset 472510fdc6f8 by C?dric Krier in branch '4.2':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/472510fdc6f8

New changeset 039fbdf778ad by C?dric Krier in branch '4.0':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/039fbdf778ad

New changeset 6bb9f811f4ae by C?dric Krier in branch '3.8':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/6bb9f811f4ae

New changeset 2df3adc5b514 by C?dric Krier in branch '3.6':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/2df3adc5b514

New changeset f0f7d4125e48 by C?dric Krier in branch '3.4':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/f0f7d4125e48

Releases published: 4.2.3, 4.0.8, 3.8.11, 3.6.15 and 3.4.17

made the issue confidential

added 1 deleted label and removed 1 deleted label

reopened

added 1 deleted label and removed 1 deleted label

Here is review30231002 for the news.

added 1 deleted label and removed 1 deleted label

New changeset 7bbdc073c584 by C?dric Krier in branch 'default':
Security Release for #6361 (closed)
http://hg.tryton.org/www.tryton.org/rev/7bbdc073c584

closed