I found that file_open does not sanitize the name against up-level reference. This allows to open any file that trytond has read access. I see one particular case where this could be used. It is the field 'name' on Report definition which represent the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read file outside trytond directory (or egg path). This behaviour could be an issue on shared hosting environment where trytond's administrators are not the same as the host administrators.
|2016-08-20 10:25:56||ced||set||recipients: + bch, yangoon, nicoe, sharkcz, pokoli, ajacoutot|
|2016-08-20 10:25:56||ced||set||messageid: <email@example.com>|
|2016-08-20 10:25:56||ced||link||issue5808 messages|
Showing 10 items. Show all history (warning: this could be VERY long)