Message 27828

Author
ced
Date
2016-08-20.10:25:56
Message id
27828

Content

I found that file_open does not sanitize the name against up-level reference.
This allows to open any file that trytond has read access.
I see one particular case where this could be used. It is the field 'name' on Report definition which represent the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read file outside trytond directory (or egg path).
This behaviour could be an issue on shared hosting environment where trytond's administrators are not the same as the host administrators.
History
Date User Action Args
2016-08-20 10:25:56cedsetrecipients: + bch, yangoon, nicoe, sharkcz, pokoli, ajacoutot
2016-08-20 10:25:56cedsetmessageid: <1471681556.82.0.805874070951.issue5808@tryton.org>
2016-08-20 10:25:56cedlinkissue5808 messages
2016-08-20 10:25:56cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)