[tryton-debian-vcs] tryton-server branch debian-squeeze updated. debian/1.6.1-2-5-g13c12b3
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Sun Oct 5 18:42:34 UTC 2014
The following commit has been merged in the debian-squeeze branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/1.6.1-2-5-g13c12b3
commit 13c12b316832378c26cd3b0450542ffbefc6dff6
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Sun Oct 5 20:40:09 2014 +0200
Releasing debian version 1.6.1-2+squeeze2.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 3564bc6..4f18cce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+tryton-server (1.6.1-2+squeeze2) squeeze-lts; urgency=high
+
+ * Adding patch for CVE-2014-6633.
+ This patch is a backport from trunk. It fixes safe_eval to not allow
+ any double underscores.
+ S.a. https://bugs.tryton.org/issue4155
+ S.a. https://bugs.tryton.org/issue4228
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Fri, 03 Oct 2014 16:07:59 +0200
+
tryton-server (1.6.1-2+squeeze1) stable-security; urgency=high
* Adding patch for "Missing access control on some relation model for
commit 6de9d97bdedd885dbddd1d3967bd5d5fc2a31282
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Oct 1 13:05:48 2014 +0200
Adding patch for CVE-2014-6633.
This patch is a backport from trunk. It fixes safe_eval to not
allow any double underscores.
Uses:
- http://codereview.tryton.org/5601002
- http://codereview.tryton.org/5681002
diff --git a/trytond/model/modelview.py b/trytond/model/modelview.py
index 4f9f0e6..8d8e6e6 100644
--- a/trytond/model/modelview.py
+++ b/trytond/model/modelview.py
@@ -380,7 +380,9 @@ class ModelView(Model):
encoder = PYSONEncoder()
for attr in ('states', 'domain', 'context', 'digits', 'add_remove',
'spell', 'colors'):
- if element.get(attr):
+ if (element.get(attr)
+ # Avoid double evaluation from inherit with different model
+ and '__' not in element.get(attr)):
element.set(attr, encoder.encode(safe_eval(element.get(attr),
CONTEXT)))
diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
index d04523f..7c0d5d2 100644
--- a/trytond/tests/test_tools.py
+++ b/trytond/tests/test_tools.py
@@ -69,7 +69,7 @@ class ToolsTestCase(unittest.TestCase):
'''
Attempt to get arround direct attr access.
'''
- self.assertRaises(Exception, safe_eval, "getattr(int, '__abs__')")
+ self.assertRaises(Exception, safe_eval, "getattr(int, 'real')")
def test0062safe_eval_func_globals(self):
'''
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 8967189..ddab69d 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -588,8 +588,8 @@ def _compile_source(source):
return comp
def safe_eval(source, data=None):
- if '__subclasses__' in source:
- raise ValueError('__subclasses__ not allowed')
+ if '__' in source:
+ raise ValueError('Double underscores not allowed')
comp = _compile_source(source)
return eval(comp, {'__builtins__': {
commit c50948c255dc472e39db81d46e5f12e773427c19
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Oct 1 12:54:27 2014 +0200
Releasing debian version 1.6.1-2+squeeze1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index e47ecf9..3564bc6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tryton-server (1.6.1-2+squeeze1) stable-security; urgency=high
+
+ * Adding patch for "Missing access control on some relation model for
+ Many2Many" (https://bugs.tryton.org/issue2476).
+ The issue is filed under CVE-2012-0215.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Wed, 24 Mar 2012 12:28:29 +0100
+
tryton-server (1.6.1-2) unstable; urgency=low
* Removing --remove-home from deluser call in postinst (Closes:
commit 29446ee9e7f622af1120dbd4da0f6beffeeb4c1d
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Wed Oct 1 12:53:45 2014 +0200
Adding patch for CVE-2012-0215.
diff --git a/trytond/model/modelstorage.py b/trytond/model/modelstorage.py
index 9411ac4..9c3b217 100644
--- a/trytond/model/modelstorage.py
+++ b/trytond/model/modelstorage.py
@@ -9,6 +9,7 @@ from trytond.model.browse import EvalEnvironment
from trytond.tools import safe_eval
from trytond.pyson import PYSONEncoder, PYSONDecoder, PYSON
from trytond.const import OPERATORS
+from trytond.model.modelview import ModelView
import datetime
import time
from decimal import Decimal
@@ -35,18 +36,19 @@ class ModelStorage(Model):
def __init__(self):
super(ModelStorage, self).__init__()
- self._rpc.update({
- 'create': True,
- 'read': False,
- 'write': True,
- 'delete': True,
- 'copy': True,
- 'search': False,
- 'search_count': False,
- 'search_read': False,
- 'export_data': False,
- 'import_data': True,
- })
+ if isinstance(self, ModelView):
+ self._rpc.update({
+ 'create': True,
+ 'read': False,
+ 'write': True,
+ 'delete': True,
+ 'copy': True,
+ 'search': False,
+ 'search_count': False,
+ 'search_read': False,
+ 'export_data': False,
+ 'import_data': True,
+ })
self._constraints = []
def default_create_uid(self, cursor, user, context=None):
diff --git a/trytond/workflow/workflow.py b/trytond/workflow/workflow.py
index fbced47..68934bd 100644
--- a/trytond/workflow/workflow.py
+++ b/trytond/workflow/workflow.py
@@ -252,11 +252,6 @@ class WorkflowTransitionInstance(ModelSQL):
inst_id = fields.Many2One('workflow.instance', 'Instance',
ondelete='CASCADE', select=1, required=True)
- def __init__(self):
- super(WorkflowTransitionInstance, self).__init__()
- for i in ('create', 'write', 'delete', 'copy'):
- del self._rpc[i]
-
def fields_get(self, cursor, user, fields_names=None, context=None):
res = super(WorkflowTransitionInstance, self).fields_get(cursor, user,
fields_names=fields_names, context=context)
--
tryton-server
More information about the tryton-debian-vcs
mailing list