rvalyi

require "rubypython"
RubyPython.start
sys = RubyPython.import("sys")
sys.path.append('/home/rvalyi/DEV/openerp/openerp6.1/server')
openerp = RubyPython.import("openerp")
openerp.tools.config.parse_config(['-c', 'openerp.conf'])
x = openerp.pooler.get_db_and_pool('ooor_test')
db = x[0]
pool = x[1]
cr = db.cursor()

rvalyi

#!/usr/bin/env ruby
#########################################################################
#
#    Copyright (C) 2011 Akretion (http://www.akretion.com). All Rights Reserved
#    Author Sebastien BEAU
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as
#    published by the Free Software Foundation, either version 3 of the
#    License, or (at your option) any later version.
#

rvalyi

#creation of an empty common ancestor branch:
bzr branch lp:~sebastien.beau/+junk/empty-extra
cd empty-extra
bzr uncommit --force
rm README

#replaying revisions for a set of extra-addons:
/home/rvalyi/Downloads/bzr-super-replay /opt/openerp/branch/ref/61/extra-trunk 3200 -m account_payment_extension purchase_payment sale_payment pxgo_bank_statement_analytic pxgo_cash_statement pxgo_bank_statement_running_balance paydays nan_account_bank_statement --hide-translation

#it will scan the bzr history to find out the commits to replay and them.

rvalyi

#after exporting extra-addon full history in 4 minutes into test.fi, I did that:
bzr fast-import-filter -i account_payment_extension/ -i purchase_payment/ -i sale_payment/ -i pxgo_bank_statement_analytic/ -i pxgo_cash_statement/ -i pxgo_bank_statement_running_balance/ -i paydays/ -i nan_account_bank_statement/ test.fi > subfolder.fi

mkdir my_new_branch; cd my_new_branch; bzr init .

bzr fast-import ../subfolder.fi

#TROUBLE:
#Got only account_payment_extension sale_payment with 16 commits which is less than 50% of the commits (from the Ruby/replay script)

rvalyi

#!/usr/bin/ruby
#########################################################################
#
#    Copyright (C) 2011 Akretion (http://www.akretion.com). All Rights Reserved
#    Author Sebastien BEAU, Raphaël Valyi
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as
#    published by the Free Software Foundation, either version 3 of the
#    License, or (at your option) any later version.
#

rvalyi

People mostly want an efficient concurrent pool of workers for OpenERP for SaaS usage where several company databases are hosted on the same OpenERP server (so with Gunicorn or Circus).

But OpenERP has e number of eval where admin user OpenERP can inject arbitrary code. That is especially true when advanced users want to customize their reports which are mostly done using evaling reprting engines.

A typical exploit here would be to eval a database connection to other SaaS databases and do what ever the fuck they want with it (steal the data, hack it, etc...)

So at Akretion we don't do shared hosting of OpenERP because of this obvious security hole, a precaution that is not taken by everybody...

Developing efficient "non evaling" reporting technology (Jinja2 sandbox etc..) can be done but obviously OpenERP won't be rewritten secured overnight (there is no chance that terrible RML technology get that for instance).

rvalyi

diff --git a/addons/web/static/src/js/view_form.js b/addons/web/static/src/js/view_form.js
index 062c746..ccf1c9a 100644
--- a/addons/web/static/src/js/view_form.js
+++ b/addons/web/static/src/js/view_form.js
@@ -1869,15 +1869,33 @@ instance.web.form.FormWidget = instance.web.Widget.extend(instance.web.form.Invi
      */
     build_context: function() {
         // only use the model's context if there is not context on the node
-        var v_context = this.node.attrs.context;
+//        var v_context = this.node.attrs.context;

rvalyi

require 'rack-proxy'

class AppProxy < Rack::Proxy
  def initialize(app)
    @app = app
  end

  def call(env)
    if env['PATH_INFO'] == "/shop"
      [301, {"Location" => "/"}, self]

rvalyi

=== modified file 'openerp/osv/fields.py'
--- openerp/osv/fields.py       2012-10-05 15:33:16 +0000
+++ openerp/osv/fields.py       2012-12-11 20:12:33 +0000
@@ -566,12 +566,14 @@
             return
         _table = obj.pool.get(self._obj)._table
         obj = obj.pool.get(self._obj)
         for act in values:
             if act[0] == 0:
                 act[2][self._fields_id] = id

rvalyi

************************ browse_record(sale.order, 28)
<OpenERPSession {'uid': 5, 'jsonp_requests': {}, 'db': 'v8', 'ecommerce_pricelist': 1, 'context': {'lang': u'en_US', 'tz': False, 'uid': 5}, 'ecommerce_order_id': 28L, 'login': 'public', 'password': 'public', 'website_session_id': 'ccb76573-795b-45f6-b0a7-9f252ea35880'}>
2014-01-03 13:52:12,876 32592 WARNING v8 openerp.osv.orm: Access Denied by record rules for operation: read on record ids: [28], uid: 5, model: sale.order
2014-01-03 13:52:12,881 32592 ERROR v8 openerp.addons.website.models.ir_http: 500 Internal Server Error:

Traceback (most recent call last):
  File "/home/rvalyi/DEV/oe8/server/openerp/addons/base/ir/ir_http.py", line 117, in _dispatch
    result = request.dispatch()
  File "/home/rvalyi/DEV/oe8/server/openerp/http.py", line 411, in dispatch
    r = self._call_function(**self.params)