c2c-oerpscenario team mailing list archive

["Bernard Renier \(NODALIA\)" <685328@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Note this bug is potentially applicable to V6...

On my Windows 7 system, I created an Excel macro that generates an
OpenERP module with all the required files (init, terp, and all csv
containing datas).

When trying to import the zip folder via the administration menu, the
system was importing the module in the module list but the module
description form was empty or containing partial data in regards to the
TERP file content.

Furthermore, after the import of the module into the module list the
system was so corrupted (impossible to create new DB anymore) that I had
to reinstall OpenERP from scratch.

After check with OpenERP support, it appeared that it was due to the file technical format generated by Windows and the Excel Macro while OpenERP current requirements are:
- UTF8 (without BOM) for CSV upload files but with windows format supported
- UTF8 (without BOM) for TERP and INIT files but accepting only UNIX format

When you know that, it's OK, you know you have to convert your files
format.

Nevertheless, I think it's a security issue because if someone imports a
module with unsupported format it corrupts the system and you see only
it when you want to create a new DB !!!

I think a check with an error message/popup should be implemented in
order to be sure of the file technical formats when importing a module.

** Affects: openobject-server
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/685328

Title:
  Module import: no check on file technical format

Status in OpenObject Server:
  New

Bug description:
  Note this bug is potentially applicable to V6...

On my Windows 7 system, I created an Excel macro that generates an OpenERP module with all the required files (init, terp, and all csv containing datas).

When trying to import the zip folder via the administration menu, the system was importing the module in the module list but the module description form was empty or containing partial data in regards to the TERP file content.

Furthermore, after the import of the module into the module list the system was so corrupted (impossible to create new DB anymore) that I had to reinstall OpenERP from scratch.

After check with OpenERP support, it appeared that it was due to the file technical format generated by Windows and the Excel Macro while OpenERP current requirements are:
- UTF8 (without BOM) for CSV upload files but with windows format supported
- UTF8 (without BOM) for TERP and INIT files but accepting only UNIX format

When you know that, it's OK, you know you have to convert your files format. 

Nevertheless, I think it's a security issue because if someone imports a module with unsupported format it corrupts the system and you see only it when you want to create a new DB !!! 

I think a check with an error message/popup should be implemented in order to be sure of the file technical formats when importing a module.