Skip to Content
Trebuie să fiți înregistrat pentru a interacționa cu comunitatea.
All Posts Oameni Insigne
Etichete (View all)
odoo accounting v14 pos v15
Despre acest forum
Această întrebare a fost marcată
securitywebsite_builderwebsite
6 Răspunsuri
12327 Vizualizări
Imagine profil
Damian Bere

Context:

Odoo v9 docker image installed behind NginX reverse proxy, on a publicly facing bare domain (e.g. mydomain.com), website builder installed, no other configuration or apps.

The Effects of the Problem:

Periodically a critical file will go missing, here's an example of the log (with my heading annotations) after a previously successful refresh request of the website:

Start of events in log after point last known to be working
===========================================================
2015-11-07 14:51:30,288 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:51:30,981 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.

This looks like an automated task - notice the IDs
==================================================
2015-11-07 14:52:46,405 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [785]
2015-11-07 14:52:47,246 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [786]
2015-11-07 14:52:47,680 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [787]
2015-11-07 14:52:48,056 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [788]

Anonymous Request for an unknown URL resulting in 404
=====================================================
2015-11-07 14:52:48,169 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:52:48] "GET /themes/elastixneo/ie.css HTTP/1.0" 404 -

More automated fetchmail activity
=================================
2015-11-07 14:56:36,462 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:56:37,348 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.

The request where it fails - notice the IDs
===========================================
2015-11-07 14:57:49,185 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET / HTTP/1.0" 200 -
2015-11-07 14:57:49,595 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/785-56abdf9/web.assets_common.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,960 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/786-0a4c00b/website.assets_frontend.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,971 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/316-c930da7/web_editor.summernote.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,011 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/318-9b2470c/web_editor.editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,026 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/345-19ca330/website.assets_editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,034 1 INFO db-test openerp.addons.base.ir.ir_attachment: _read_file reading /var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openerp/addons/base/ir/ir_attachment.py", line 151, in _file_read
r = open(full_path,'rb').read().encode('base64')
IOError: [Errno 2] No such file or directory: u'/var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e'
2015-11-07 14:57:50,035 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/787-56abdf9/web.assets_common.js HTTP/1.0" 200 -
2015-11-07 14:57:50,240 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/317-c930da7/web_editor.summernote.js HTTP/1.0" 200 -
2015-11-07 14:57:50,286 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/319-9b2470c/web_editor.editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,319 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/788-0a4c00b/website.assets_frontend.js HTTP/1.0" 200 -
2015-11-07 14:57:50,356 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/346-19ca330/website.assets_editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,639 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /logo.png HTTP/1.0" 200 -
2015-11-07 14:57:50,950 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /website/static/src/img/library/world.jpg HTTP/1.0" 200 -
2015-11-07 14:57:52,859 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/static/lib/fontawesome/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.0" 200 -
2015-11-07 14:57:52,880 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/image/388 HTTP/1.0" 200 -

This file is an auto generated, compressed javascript file with all the common js assets for the website to function. Thus the site and app become unusable. Restoring the file fixes this problem temporarily. It is unclear if other files are going missing or not.

Done So Far:

  1. Eliminated all the other elements of the set-up, including TLS/SSL, domain name, NginX, other instances (e.g. test etc)

  2. Downloaded Crawl Errors (404s etc) from Google Webmaster Tools into a CSV and used wget to crawl these URLs on the website.

  3. This resulted in the problem occurring instantly, and repeatedly, when I was logged in with a User set up with admin privileges  (not sure if this matters or not, as not tested with a normal user)

  4. This doesn't occur when the urls are requested when I am not logged in.

Conditions triggering the Problem:

This happens repeatably when the following conditions are met:

  1. - A User is logged in (tested with a user that has administrative privileges, but not necessarily Administrator - not tested with a normal user)

  2. - An Anonymous User (e.g. a web crawler/bot/etc) requests a URL

  3. - The URL is unknown and results in a 404

  4. - A new page request is made by the User logged in

I can now repeatably make this happen with the above conditions.

This still happens with the latest nightly build (set the ODOO_RELEASE to 20151109 in the Dockerfile to grab the latest available as of today). 

At this point, it looks like a very concerning security issue, that an external, anonymous (not logged in) user can trigger a catastrophic file deletion inside the odoo software simply by requesting a URL that doesn't exist, which will happen with every site at some point. Has anyone else upgraded to v9 experienced this problem?

Imagine profil
Abandonează
Damian Bere
Autor

So now managed to determine a repeatable set of triggers to make this bug appear. This should be repeatable for anyone else to check out.

Damian Bere
Autor

Bug Report on Github here: https://github.com/odoo/odoo/issues/9495

Ray Carnes

Check out the tests I just ran in your bug report.

Imagine profil
Damian Bere
Autor Cel mai bun răspuns

This has now been fixed in the latest build for 9.0 (community and enterprise), and retrofitted to 8.0 as well:  https://github.com/odoo/odoo/issues/9495

Imagine profil
Abandonează
Kurt Haselwimmer

The official docker build has also been updated to reflect the fact that the version numbering system has changed from v9.0 to v9.0c (c presumably for community) - the previous dockerfile build was therefore pulling no nightly later than the 25th November - these did not include the fix to the problem that Damian uncovered here.

Imagine profil
HammadHQ (Odoo Pakistan)
Cel mai bun răspuns

I have similar issue when I tried to migrate my openerp 7 data to odoo 9, I have solved this vy removing all these objects from the database like this

delete FROM "public"."ir_attachment" WHERE "public"."ir_attachment"."store_fname" LIKE '%56604d2e39e2e07be3a8fd65fd6ebcb71462d119%'

source: https://www.odoo.com/forum/help-1/question/updated-how-do-i-prevent-website-common-asset-files-from-constantly-not-being-found-ioerror-errno-2-no-such-file-or-directory-92982


Imagine profil
Abandonează
Related Posts Răspunsuri Vizualizări Activitate
SecurityError and Javascript error after activating website module
security javascript website_builder website
Imagine profil
0
mar. 25
2320
How to hide pages from odoo 11 website ? Rezolvat
security website_builder website odoo11
Imagine profil
Imagine profil
1
mai 18
5482
How do i re-run the website builder to include the demo theme? Rezolvat
website_builder website
Imagine profil
Imagine profil
Imagine profil
2
sept. 25
4485
Adding an HTML element to existing website template
website_builder website
Imagine profil
Imagine profil
1
iul. 25
1885
How to add lottie animation to odoo site
website_builder website
Imagine profil
Imagine profil
Imagine profil
2
iun. 25
3348