Tryton - Issues

 

Message17941

Author ced
Recipients ajacoutot, bch, daniel, duesenfranz, nicoe, sharkcz, yangoon
Date 2014-09-06.18:12:04
Content
For the record, safe_eval is used:

- convert.py for XML evaluation (no security issue)
- action.py for some field evaluation (by default only admin has write access) *
- cron.py: idem *
- lang.py: idem *
- model.py only for migration (no security issue after migration)
- rule.py: idem *
- trigger.py: idem *
- view.py: idem *
- modelview.py: same as for view.py
- currency.py: idem *
- price_list.py: write access to product admin user
- webdav.py: any user has write access

So for me, there are 2 weak points price_list and webdav.
History
Date User Action Args
2014-09-06 18:12:05cedsetmessageid: <1410019925.01.0.157912418031.issue4155@tryton.org>
2014-09-06 18:12:05cedsetrecipients: + bch, yangoon, nicoe, sharkcz, daniel, ajacoutot, duesenfranz
2014-09-06 18:12:04cedlinkissue4155 messages
2014-09-06 18:12:04cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)