Skip to Content
This question has been flagged
securitywebsite_builderwebsite
6 Replies
12295 Views
Avatar
Damian Bere

Context:

Odoo v9 docker image installed behind NginX reverse proxy, on a publicly facing bare domain (e.g. mydomain.com), website builder installed, no other configuration or apps.

The Effects of the Problem:

Periodically a critical file will go missing, here's an example of the log (with my heading annotations) after a previously successful refresh request of the website:

Start of events in log after point last known to be working
===========================================================
2015-11-07 14:51:30,288 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:51:30,981 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.

This looks like an automated task - notice the IDs
==================================================
2015-11-07 14:52:46,405 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [785]
2015-11-07 14:52:47,246 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [786]
2015-11-07 14:52:47,680 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [787]
2015-11-07 14:52:48,056 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [788]

Anonymous Request for an unknown URL resulting in 404
=====================================================
2015-11-07 14:52:48,169 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:52:48] "GET /themes/elastixneo/ie.css HTTP/1.0" 404 -

More automated fetchmail activity
=================================
2015-11-07 14:56:36,462 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:56:37,348 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.

The request where it fails - notice the IDs
===========================================
2015-11-07 14:57:49,185 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET / HTTP/1.0" 200 -
2015-11-07 14:57:49,595 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/785-56abdf9/web.assets_common.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,960 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/786-0a4c00b/website.assets_frontend.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,971 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/316-c930da7/web_editor.summernote.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,011 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/318-9b2470c/web_editor.editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,026 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/345-19ca330/website.assets_editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,034 1 INFO db-test openerp.addons.base.ir.ir_attachment: _read_file reading /var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openerp/addons/base/ir/ir_attachment.py", line 151, in _file_read
r = open(full_path,'rb').read().encode('base64')
IOError: [Errno 2] No such file or directory: u'/var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e'
2015-11-07 14:57:50,035 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/787-56abdf9/web.assets_common.js HTTP/1.0" 200 -
2015-11-07 14:57:50,240 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/317-c930da7/web_editor.summernote.js HTTP/1.0" 200 -
2015-11-07 14:57:50,286 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/319-9b2470c/web_editor.editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,319 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/788-0a4c00b/website.assets_frontend.js HTTP/1.0" 200 -
2015-11-07 14:57:50,356 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/346-19ca330/website.assets_editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,639 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /logo.png HTTP/1.0" 200 -
2015-11-07 14:57:50,950 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /website/static/src/img/library/world.jpg HTTP/1.0" 200 -
2015-11-07 14:57:52,859 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/static/lib/fontawesome/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.0" 200 -
2015-11-07 14:57:52,880 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/image/388 HTTP/1.0" 200 -

This file is an auto generated, compressed javascript file with all the common js assets for the website to function. Thus the site and app become unusable. Restoring the file fixes this problem temporarily. It is unclear if other files are going missing or not.

Done So Far:

  1. Eliminated all the other elements of the set-up, including TLS/SSL, domain name, NginX, other instances (e.g. test etc)

  2. Downloaded Crawl Errors (404s etc) from Google Webmaster Tools into a CSV and used wget to crawl these URLs on the website.

  3. This resulted in the problem occurring instantly, and repeatedly, when I was logged in with a User set up with admin privileges  (not sure if this matters or not, as not tested with a normal user)

  4. This doesn't occur when the urls are requested when I am not logged in.

Conditions triggering the Problem:

This happens repeatably when the following conditions are met:

  1. - A User is logged in (tested with a user that has administrative privileges, but not necessarily Administrator - not tested with a normal user)

  2. - An Anonymous User (e.g. a web crawler/bot/etc) requests a URL

  3. - The URL is unknown and results in a 404

  4. - A new page request is made by the User logged in

I can now repeatably make this happen with the above conditions.

This still happens with the latest nightly build (set the ODOO_RELEASE to 20151109 in the Dockerfile to grab the latest available as of today). 

At this point, it looks like a very concerning security issue, that an external, anonymous (not logged in) user can trigger a catastrophic file deletion inside the odoo software simply by requesting a URL that doesn't exist, which will happen with every site at some point. Has anyone else upgraded to v9 experienced this problem?

Avatar
Discard
Damian Bere
Author

So now managed to determine a repeatable set of triggers to make this bug appear. This should be repeatable for anyone else to check out.

Damian Bere
Author

Bug Report on Github here: https://github.com/odoo/odoo/issues/9495

Ray Carnes

Check out the tests I just ran in your bug report.

Avatar
Damian Bere
Author Best Answer

This has now been fixed in the latest build for 9.0 (community and enterprise), and retrofitted to 8.0 as well:  https://github.com/odoo/odoo/issues/9495

Avatar
Discard
Kurt Haselwimmer

The official docker build has also been updated to reflect the fact that the version numbering system has changed from v9.0 to v9.0c (c presumably for community) - the previous dockerfile build was therefore pulling no nightly later than the 25th November - these did not include the fix to the problem that Damian uncovered here.

Avatar
HammadHQ (Odoo Pakistan)
Best Answer

I have similar issue when I tried to migrate my openerp 7 data to odoo 9, I have solved this vy removing all these objects from the database like this

delete FROM "public"."ir_attachment" WHERE "public"."ir_attachment"."store_fname" LIKE '%56604d2e39e2e07be3a8fd65fd6ebcb71462d119%'

source: https://www.odoo.com/forum/help-1/question/updated-how-do-i-prevent-website-common-asset-files-from-constantly-not-being-found-ioerror-errno-2-no-such-file-or-directory-92982


Avatar
Discard
Related Posts Replies Views Activity
SecurityError and Javascript error after activating website module
security javascript website_builder website
Avatar
0
Mar 25
2285
How to hide pages from odoo 11 website ? Solved
security website_builder website odoo11
Avatar
Avatar
1
May 18
5460
How do i re-run the website builder to include the demo theme? Solved
website_builder website
Avatar
Avatar
Avatar
2
Sep 25
4411
Adding an HTML element to existing website template
website_builder website
Avatar
Avatar
1
Jul 25
1834
How to add lottie animation to odoo site
website_builder website
Avatar
Avatar
Avatar
2
Jun 25
3314