[tryton-debian-vcs] tryton-server branch upstream updated. upstream/3.8.2-1-g05fe3c2

[Mathias Behrle]

The following commit has been merged in the upstream branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=upstream/3.8.2-1-g05fe3c2

commit 05fe3c240e9b7465bf40495095a8f52ee3989322
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Feb 10 18:16:09 2016 +0100

    Adding upstream version 3.8.3.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/CHANGELOG b/CHANGELOG
index c67bc63..7d6c5bc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,9 @@
+Version 3.8.3 - 2016-02-06
+* Bug fixes (see mercurial logs for details)
+* Strip and unquote double-quote from Postgresql schema in search_path
+* Don't read historized user when evaluating record rules as it could lead to
+  past privilege escalation.
+
 Version 3.8.2 - 2016-01-11
 * Bug fixes (see mercurial logs for details)
 
diff --git a/PKG-INFO b/PKG-INFO
index e6aa46b..c944c45 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.8.2
+Version: 3.8.3
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index e6aa46b..c944c45 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: trytond
-Version: 3.8.2
+Version: 3.8.3
 Summary: Tryton server
 Home-page: http://www.tryton.org/
 Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index b60e110..2871eed 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -4,7 +4,7 @@ import os
 import time
 from email import charset
 
-__version__ = "3.8.2"
+__version__ = "3.8.3"
 
 os.environ['TZ'] = 'UTC'
 if hasattr(time, 'tzset'):
diff --git a/trytond/backend/postgresql/database.py b/trytond/backend/postgresql/database.py
index 9776784..3d7cf2d 100644
--- a/trytond/backend/postgresql/database.py
+++ b/trytond/backend/postgresql/database.py
@@ -39,6 +39,18 @@ RE_VERSION = re.compile(r'\S+ (\d+)\.(\d+)')
 os.environ['PGTZ'] = os.environ.get('TZ', '')
 
 
+def unescape_quote(s):
+    if s.startswith('"') and s.endswith('"'):
+        return s.strip('"').replace('""', '"')
+    return s
+
+
+def replace_special_values(s, **mapping):
+    for name, value in mapping.iteritems():
+        s = s.replace('$' + name, value)
+    return s
+
+
 class Database(DatabaseInterface):
 
     _databases = {}
@@ -347,8 +359,14 @@ class Cursor(CursorInterface):
     def search_path(self):
         if self._search_path is None:
             self.execute('SHOW search_path')
-            self._search_path = self.fetchone()[0].replace(
-                '"$user"', self.current_user).split(',')
+            path, = self.fetchone()
+            special_values = {
+                'user': self.current_user,
+            }
+            self._search_path = [
+                unescape_quote(replace_special_values(
+                        p.strip(), **special_values))
+                for p in path.split(',')]
         return self._search_path
 
 register_type(UNICODE)
diff --git a/trytond/ir/rule.py b/trytond/ir/rule.py
index cb61ffc..267705b 100644
--- a/trytond/ir/rule.py
+++ b/trytond/ir/rule.py
@@ -145,7 +145,7 @@ class Rule(ModelSQL, ModelView):
     def _get_context():
         User = Pool().get('res.user')
         user_id = Transaction().user
-        with Transaction().set_context(_check_access=False):
+        with Transaction().set_context(_check_access=False, _datetime=None):
             user = EvalEnvironment(User(user_id), User)
         return {
             'user': user,
-- 
tryton-server