[12.0] cielo security hotfix #1562
Conversation
|
Hi @rvalyi! Thank you very much for this contribution. As the addon you are improving does not have a declared maintainer, I take the opportunity to mention that you can consider adopting it. To do so, please read the maintainer role description, and, if interested, create a pull request to add your GitHub login to the |
|
/ocabot merge nobump |
|
On my way to merge this fine PR! |
|
@renatonlima your merge command was aborted due to failed check(s), which you can inspect on this commit of 12.0-ocabot-merge-pr-1562-by-renatonlima-bump-nobump. After fixing the problem, you can re-issue a merge command. Please refrain from merging manually as it will most probably make the target branch red. |
|
/ocabot merge patch |
|
On my way to merge this fine PR! |
|
@DiegoParadeda, @mileo if you have any customer using this (I doubt and I hope not), it would be professional to upgrade them immediately after the merge... |
|
Congratulations, your PR was merged at 1ca2785. Thanks a lot for contributing to OCA. ❤️ |
|
So guys given the recent pressure from KMEE and especially @bmessiaz to try to hijack the project once again after they already failed in 2017, see #1311 and #1561, let me explain this issue a little better so people will not be able to hide anymore: This gateway has been logging (in pretty print!) credit card numbers, including card holder name, expiry date and CVV code for a whole year in Odoo productionn logs, just like this: Any server adiministrator, any internship developper with access to the server would gain access to all e-commerce credit cards by just reading the Odoo logs... Obviously KMEE you never used this code in production or your whole business model is worse than anything else we could imagine... @mileo I prefer your fake contributions (see #1567 ) in the project when they are not DANGEROUS at least. Seriously I never heard about any such security issue in the whole OCA codebase... @marcelsavegnago @renatonlima @mbcosta @britoederr @netosjb @felipemotter @rpsjr @bmessiaz @luismalta @gabrielcardoso21 @ygcarvalh @marcos-mendez |
@renatonlima @marcelsavegnago speaking about hotfixes, what about merging this one like real quick? Found this one just a few days ago when trying to get the module pass the pre-commit...
As for any security flaw it's better to fix first and communicate later. All I have to say for now given the context: proudly contributed by KMEE #943, approved by @mileo and @gabrielcardoso21 but not by @renatonlima nor by me... Open in the wild for a whole year. Let's just hope nobody used it.
It also happen to illustrate something I was complaining about in #1561
Hint: former build Travis logs speak for themselves and yes it happens in production too. Something unseen in the OCA so far.