Skip to content

Commit

Permalink
[FIX] tools: verify path before opening
Browse files Browse the repository at this point in the history
  • Loading branch information
@odony
odony committed Jun 2, 2017
1 parent 380f59b commit 76cd8d2
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion odoo/tools/misc.py
View file
Expand Up @@ -196,7 +196,16 @@ def file_open(name, mode="r", subdir='addons', pathinfo=False):


def _fileopen(path, mode, basedir, pathinfo, basename=None):
name = os.path.normpath(os.path.join(basedir, path))
name = os.path.normpath(os.path.normcase(os.path.join(basedir, path)))

import odoo.modules as addons
paths = addons.module.ad_paths + [config['root_path']]
for addons_path in paths:
addons_path = os.path.normpath(os.path.normcase(addons_path)) + os.sep
if name.startswith(addons_path):
break
else:
raise ValueError("Unknown path: %s" % name)

if basename is None:
basename = name
Expand Down

2 comments on commit 76cd8d2

@ravishekharco
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can making changes just to this file at our installation will patch the vulnerability or we will need to upgrade Odoo overall?

@odony
Copy link
Contributor Author

@odony odony commented on 76cd8d2 Jun 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ravishekharco This patch is enough to fix the issue, as explained in section V. Solution of the advisory. However it is strongly recommended to update your whole Odoo installation regularly (for performance improvements and other bugfixes). You could use this patch temporarily while you verify that updating the whole installation does not impact your production databases, e.g. in a staging environment.

Please sign in to comment.