Not sure but, with find_global = None maybe the exceptions won't be raised, I better write a check function like in tryton[1] or nadina's blog[2]
[1] http://hg.tryton.org/tryton/file/6bd9a2618cf4/tryton/pysocket.py [2] http://nadiana.com/python-pickle-insecure#How_to_Make_Unpickling_Safer -- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/671926 Title: Remote code execution Status in OpenObject GTK Client: Confirmed Status in OpenObject GTK Client 5.0 series: Confirmed Status in OpenObject Web Client: Confirmed Status in OpenObject Web Client 5.0 series: Confirmed Bug description: It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side. I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file. This bug was fixed in the server, but not in the client. Affects versions 4.2, 5.X and 6.X _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
