[tryton-debian-vcs] tryton-server branch debian-squeeze updated. debian/1.6.1-2-5-g13c12b3

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Sun Oct 5 18:42:34 UTC 2014


The following commit has been merged in the debian-squeeze branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/1.6.1-2-5-g13c12b3

commit 13c12b316832378c26cd3b0450542ffbefc6dff6
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Sun Oct 5 20:40:09 2014 +0200

    Releasing debian version 1.6.1-2+squeeze2.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index 3564bc6..4f18cce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+tryton-server (1.6.1-2+squeeze2) squeeze-lts; urgency=high
+
+  * Adding patch for CVE-2014-6633.
+    This patch is a backport from trunk. It fixes safe_eval to not allow
+    any double underscores.
+    S.a. https://bugs.tryton.org/issue4155
+    S.a. https://bugs.tryton.org/issue4228
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Fri, 03 Oct 2014 16:07:59 +0200
+
 tryton-server (1.6.1-2+squeeze1) stable-security; urgency=high
 
   * Adding patch for "Missing access control on some relation model for
commit 6de9d97bdedd885dbddd1d3967bd5d5fc2a31282
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Oct 1 13:05:48 2014 +0200

    Adding patch for CVE-2014-6633.
    
    This patch is a backport from trunk. It fixes safe_eval to not
    allow any double underscores.
    Uses:
    - http://codereview.tryton.org/5601002
    - http://codereview.tryton.org/5681002

diff --git a/trytond/model/modelview.py b/trytond/model/modelview.py
index 4f9f0e6..8d8e6e6 100644
--- a/trytond/model/modelview.py
+++ b/trytond/model/modelview.py
@@ -380,7 +380,9 @@ class ModelView(Model):
         encoder = PYSONEncoder()
         for attr in ('states', 'domain', 'context', 'digits', 'add_remove',
                 'spell', 'colors'):
-            if element.get(attr):
+            if (element.get(attr)
+                    # Avoid double evaluation from inherit with different model
+                    and '__' not in element.get(attr)):
                 element.set(attr, encoder.encode(safe_eval(element.get(attr),
                     CONTEXT)))
 
diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
index d04523f..7c0d5d2 100644
--- a/trytond/tests/test_tools.py
+++ b/trytond/tests/test_tools.py
@@ -69,7 +69,7 @@ class ToolsTestCase(unittest.TestCase):
         '''
         Attempt to get arround direct attr access.
         '''
-        self.assertRaises(Exception, safe_eval, "getattr(int, '__abs__')")
+        self.assertRaises(Exception, safe_eval, "getattr(int, 'real')")
 
     def test0062safe_eval_func_globals(self):
         '''
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 8967189..ddab69d 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -588,8 +588,8 @@ def _compile_source(source):
     return comp
 
 def safe_eval(source, data=None):
-    if '__subclasses__' in source:
-        raise ValueError('__subclasses__ not allowed')
+    if '__' in source:
+        raise ValueError('Double underscores not allowed')
 
     comp = _compile_source(source)
     return eval(comp, {'__builtins__': {
commit c50948c255dc472e39db81d46e5f12e773427c19
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Oct 1 12:54:27 2014 +0200

    Releasing debian version 1.6.1-2+squeeze1.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index e47ecf9..3564bc6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tryton-server (1.6.1-2+squeeze1) stable-security; urgency=high
+
+  * Adding patch for "Missing access control on some relation model for
+    Many2Many" (https://bugs.tryton.org/issue2476).
+    The issue is filed under CVE-2012-0215.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Wed, 24 Mar 2012 12:28:29 +0100
+
 tryton-server (1.6.1-2) unstable; urgency=low
 
   * Removing --remove-home from deluser call in postinst (Closes:
commit 29446ee9e7f622af1120dbd4da0f6beffeeb4c1d
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Oct 1 12:53:45 2014 +0200

    Adding patch for CVE-2012-0215.

diff --git a/trytond/model/modelstorage.py b/trytond/model/modelstorage.py
index 9411ac4..9c3b217 100644
--- a/trytond/model/modelstorage.py
+++ b/trytond/model/modelstorage.py
@@ -9,6 +9,7 @@ from trytond.model.browse import EvalEnvironment
 from trytond.tools import safe_eval
 from trytond.pyson import PYSONEncoder, PYSONDecoder, PYSON
 from trytond.const import OPERATORS
+from trytond.model.modelview import ModelView
 import datetime
 import time
 from decimal import Decimal
@@ -35,18 +36,19 @@ class ModelStorage(Model):
 
     def __init__(self):
         super(ModelStorage, self).__init__()
-        self._rpc.update({
-            'create': True,
-            'read': False,
-            'write': True,
-            'delete': True,
-            'copy': True,
-            'search': False,
-            'search_count': False,
-            'search_read': False,
-            'export_data': False,
-            'import_data': True,
-        })
+        if isinstance(self, ModelView):
+            self._rpc.update({
+                'create': True,
+                'read': False,
+                'write': True,
+                'delete': True,
+                'copy': True,
+                'search': False,
+                'search_count': False,
+                'search_read': False,
+                'export_data': False,
+                'import_data': True,
+            })
         self._constraints = []
 
     def default_create_uid(self, cursor, user, context=None):
diff --git a/trytond/workflow/workflow.py b/trytond/workflow/workflow.py
index fbced47..68934bd 100644
--- a/trytond/workflow/workflow.py
+++ b/trytond/workflow/workflow.py
@@ -252,11 +252,6 @@ class WorkflowTransitionInstance(ModelSQL):
     inst_id = fields.Many2One('workflow.instance', 'Instance',
             ondelete='CASCADE', select=1, required=True)
 
-    def __init__(self):
-        super(WorkflowTransitionInstance, self).__init__()
-        for i in ('create', 'write', 'delete', 'copy'):
-            del self._rpc[i]
-
     def fields_get(self, cursor, user, fields_names=None, context=None):
         res = super(WorkflowTransitionInstance, self).fields_get(cursor, user,
                 fields_names=fields_names, context=context)
-- 
tryton-server



More information about the tryton-debian-vcs mailing list