openerp-india team mailing list archive

Thread
Date

[Bug 928376] Re: file_open is not safe

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: Florent <928376@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Feb 2012 08:42:20 -0000
Reply-to: Bug 928376 <928376@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/928376

Title:
  file_open is not safe

Status in OpenERP Server:
  Incomplete

Bug description:
  It happens with 5.0 and certainly with 6.1 too.

  When you update the list of modules, the application calls:
    tools.file_open(terp_file)

  And file_open will browse all the parents of the "addons_path" for a zip file ... 
  I've added a statement to trace the call to "open()" :

  open('/home/florent/erpdemo/parts/openerp-server/bin/addons/account.zip', 'rb')
  open('/home/florent/erpdemo/parts/openerp-server/bin/addons.zip', 'rb')
  open('/home/florent/erpdemo/parts/openerp-server/bin.zip', 'rb')
  open('/home/florent/erpdemo/parts/openerp-server.zip', 'rb')
  open('/home/florent/erpdemo/parts.zip', 'rb')
  open('/home/florent/erpdemo.zip', 'rb')
  open('/home/florent.zip', 'rb')
  open('/home.zip', 'rb')
  open('/.zip', 'rb')

  This behaviour is seen on module installation or upgrade too.
  It is probably a security issue which impacts performance as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/928376/+subscriptions