[tryton-debian-vcs] tryton-server branch upstream updated. upstream/4.2.2-1-g38c8fb3
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Apr 4 08:30:37 UTC 2017
The following commit has been merged in the upstream branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=upstream/4.2.2-1-g38c8fb3
commit 38c8fb3f9e3816c38321fbb0a9037b10c6e1fbf4
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Apr 4 09:35:24 2017 +0200
Adding upstream version 4.2.3.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/CHANGELOG b/CHANGELOG
index 293edce..1d39cc9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 4.2.3 - 2017-04-03
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open against suffix (CVE-2017-0360)
+
Version 4.2.2 - 2017-03-10
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index 1fa5eed..cfd1c8f 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 4.2.2
+Version: 4.2.3
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index 1fa5eed..cfd1c8f 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 4.2.2
+Version: 4.2.3
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 3ab0499..7a81fd1 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -5,7 +5,7 @@ import time
import logging
from email import charset
-__version__ = "4.2.2"
+__version__ = "4.2.3"
logger = logging.getLogger(__name__)
os.environ['TZ'] = 'UTC'
diff --git a/trytond/ir/model.py b/trytond/ir/model.py
index f0498bf..778becb 100644
--- a/trytond/ir/model.py
+++ b/trytond/ir/model.py
@@ -966,11 +966,13 @@ class ModelButtonClick(ModelSQL, ModelView):
clicks = defaultdict(list)
for records in grouped_slice(records):
- clicks.update(groupby(cls.search([
- ('button', '=', button.id),
- ('record_id', 'in', [r.id for r in records]),
- ], order=[('record_id', 'ASC')]),
- key=lambda c: c.record_id))
+ records = cls.search([
+ ('button', '=', button.id),
+ ('record_id', 'in', [r.id for r in records]),
+ ], order=[('record_id', 'ASC')])
+ clicks.update(
+ (k, list(v)) for k, v in groupby(
+ records, key=lambda c: c.record_id))
return clicks
@classmethod
diff --git a/trytond/tests/test_tools.py b/trytond/tests/test_tools.py
index d74f4ae..d1f574f 100644
--- a/trytond/tests/test_tools.py
+++ b/trytond/tests/test_tools.py
@@ -128,6 +128,11 @@ class ToolsTestCase(unittest.TestCase):
with self.assertRaisesRegexp(IOError, "Permission denied:"):
file_open('../../foo')
+ def test_file_open_suffix(self):
+ "Test file_open from same root name but with a suffix"
+ with self.assertRaisesRegexp(IOError, "Permission denied:"):
+ file_open('../trytond_suffix', subdir=None)
+
def suite():
func = unittest.TestLoader().loadTestsFromTestCase
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 2b9a7f8..ec53fe3 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -32,7 +32,7 @@ def file_open(name, mode="r", subdir='modules', encoding=None):
"Join paths and ensure it still below root"
path = os.path.join(root, *paths)
path = os.path.normpath(path)
- if not path.startswith(root):
+ if not path.startswith(os.path.join(root, '')):
raise IOError("Permission denied: %s" % name)
return path
--
tryton-server
More information about the tryton-debian-vcs
mailing list