Technical mailing list archives

technical@mail.odoo.com

Avatar

Re: Odoo json-rpc security issue

by
Agile Business Group sagl, Lorenzo Battistini - Software Engineer, Agile Business Group
- 01/31/2018 04:11:25

Just noticed that the odoo json-rpc calls can be made only by passing the dbname, uname and pwd. Well, this is clearly available on inspection if it's from an external web page which for example is based in angular. Isn't this a security risk considering that Odoo is an erp system? What are the solutions to this problem? I don't see any workaround on the odoo json-rpc side to this problem, so is there anything that can be done on the external web page which is based in angular or any other system for this?


If calls are exclusively under HTTPS, I don't see security risks (except those related to potential flaws of HTTPS protocols of course). Check your server with https://www.google.com/search?q=https+check

Reference