openerp-community-reviewer team mailing list archive

Thread
Date

Re: [Merge] lp:~serpentcs/web-addons/multi_image_7.0 into lp:web-addons

To: mp+179857@xxxxxxxxxxxxxxxxxx
From: Nhomar - Vauxoo <nhomar@xxxxxxxxx>
Date: Sat, 28 Sep 2013 06:17:54 -0000
In-reply-to: <20130813065927.10036.98436.launchpad@ackee.canonical.com>
Reply-to: mp+179857@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

A little hole is:

158	+    def upload_image_multi(self, req, callback, ufile):

As you can see it is not asking for the session object to validate ACL. I dob have time now to prepare an use case, but it is dangerous.

See how i think we have an important security hole with the approach as you solve it to upload files.

https://dl.dropboxusercontent.com/u/2428846/Captura%20de%20pantalla%202013-09-28%20a%20la%28s%29%2001.14.21.png
-- 
https://code.launchpad.net/~serpentcs/web-addons/multi_image_7.0/+merge/179857
Your team Web-Addons Core Editors is subscribed to branch lp:web-addons.