Sanitize path in file_open against suffix

issue6361 review33191002
tryton · Apr 3, 2017 · 30e9785 · 30e9785
1 parent 798f842
commit 30e9785
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,4 @@
+* Sanitize path in file_open against suffix (CVE-2017-0360)
 * Add constraint on user password
 * Remove Property field
 * Add MultiValueMixin and ValueMixin

diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
@@ -134,6 +134,11 @@ def test_file_open(self):
         with self.assertRaisesRegexp(IOError, "Permission denied:"):
             file_open('../../foo')
 
+    def test_file_open_suffix(self):
+        "Test file_open from same root name but with a suffix"
+        with self.assertRaisesRegexp(IOError, "Permission denied:"):
+            file_open('../trytond_suffix', subdir=None)
+
 
 def suite():
     func = unittest.TestLoader().loadTestsFromTestCase

diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
@@ -32,7 +32,7 @@ def secure_join(root, *paths):
         "Join paths and ensure it still below root"
         path = os.path.join(root, *paths)
         path = os.path.normpath(path)
-        if not path.startswith(root):
+        if not path.startswith(os.path.join(root, '')):
             raise IOError("Permission denied: %s" % name)
         return path