Tryton - Issues

 

Issue6361

Title file_open does not sanitize all cases
Priority bug Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, pokoli, roundup-bot, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 33191002,30231002
View: 33191002, 30231002

Created on 2017-03-14.13:20:39 by ced, last changed by roundup-bot.

Messages
New changeset 7bbdc073c584 by C?dric Krier in branch 'default':
Security Release for issue6361
http://hg.tryton.org/www.tryton.org/rev/7bbdc073c584
msg33082 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-04-04.10:32:18
Here is review30231002 for the news.
msg33079 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-04-03.19:28:11
Releases published: 4.2.3, 4.0.8, 3.8.11, 3.6.15 and 3.4.17
New changeset c4ac6ad3570d by C?dric Krier in branch 'default':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/c4ac6ad3570d

New changeset 472510fdc6f8 by C?dric Krier in branch '4.2':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/472510fdc6f8

New changeset 039fbdf778ad by C?dric Krier in branch '4.0':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/039fbdf778ad

New changeset 6bb9f811f4ae by C?dric Krier in branch '3.8':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/6bb9f811f4ae

New changeset 2df3adc5b514 by C?dric Krier in branch '3.6':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/2df3adc5b514

New changeset f0f7d4125e48 by C?dric Krier in branch '3.4':
Sanitize path in file_open against suffix
http://hg.tryton.org/trytond/rev/f0f7d4125e48
msg32753 (view) Author: [hidden] (yangoon) Date: 2017-03-24.15:53:23
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> I think just like issue5808, this one should trigger a security release.
> 
> @yangoon could you request a CVE number?
> 
> I propose this schedule:
> 
> 2017-04-03 for release
> 2017-04-04 for news

Please use CVE-2017-0360.

Time schedule agreed.
msg32741 (view) Author: [hidden] (yangoon) Date: 2017-03-24.09:16:04
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> I think just like issue5808, this one should trigger a security release.
> 
> @yangoon could you request a CVE number?

CVE requested.
msg32738 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-03-24.00:43:40
I think just like issue5808, this one should trigger a security release.

@yangoon could you request a CVE number?

I propose this schedule:

2017-04-03 for release
2017-04-04 for news
msg32494 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-03-14.13:23:01
Do you think it deserves a CVE and security release?
msg32493 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2017-03-14.13:20:39
The patch from issue5808 did not sanitize all cases. Indeed there is a case where external file could be retrieved if they are stored in a folder next to trytond root starting with the same name but a suffix.
For example: '../trytond_suffix'.
Here is review33191002 that fix it.
History
Date User Action Args
2017-04-04 18:49:26roundup-botsetstatus: testing -> resolved
messages: + msg33101
2017-04-04 10:32:18cedsetstatus: in-progress -> testing
reviews: 33191002 -> 33191002,30231002
messages: + msg33082
2017-04-03 19:28:36cedsetstatus: chatting -> in-progress
2017-04-03 19:28:11cedsetstatus: resolved -> chatting
messages: + msg33079
2017-04-03 18:37:51roundup-botsetnosy: + roundup-bot
messages: + msg33078
2017-04-03 18:37:39cedsetstatus: testing -> resolved
2017-03-24 15:53:23yangoonsetmessages: + msg32753
2017-03-24 09:16:04yangoonsetmessages: + msg32741
2017-03-24 00:43:40cedsetmessages: + msg32738
2017-03-14 13:23:01cedsetmessages: + msg32494

Showing 10 items. Show all history (warning: this could be VERY long)