Prevent read of user password hash

changeset c9be44cd05e1 did not add the same hiding protection to the new password_hash field as the password field. This allow any authenticated user to read the hash of any other user. CVE-2016-1241 issue5795 review32441002
tryton · Aug 30, 2016 · 30d2a6d · 30d2a6d
1 parent 0874b76
commit 30d2a6d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,4 @@
+* Prevent read of user password hash (CVE-2016-1241)
 * Add database dump cache for tests
 * Remove unused tools: find_in_path, exec_command_pipe and mod10r
 * Implementation of drop_column for SQLite

diff --git a/trytond/res/user.py b/trytond/res/user.py
@@ -232,6 +232,14 @@ def _convert_vals(vals):
             vals['menu'] = Action.get_action_id(vals['menu'])
         return vals
 
+    @classmethod
+    def read(cls, ids, fields_names=None):
+        result = super(User, cls).read(ids, fields_names=fields_names)
+        if not fields_names or 'password_hash' in fields_names:
+            for values in result:
+                values['password_hash'] = None
+        return result
+
     @classmethod
     def create(cls, vlist):
         vlist = [cls._convert_vals(vals) for vals in vlist]