Context:
Odoo v9 docker image installed behind NginX reverse proxy, on a publicly facing bare domain (e.g. mydomain.com), website builder installed, no other configuration or apps.
The Effects of the Problem:
Periodically a critical file will go missing, here's an example of the log (with my heading annotations) after a previously successful refresh request of the website:
Start of events in log after point last known to be working
===========================================================
2015-11-07 14:51:30,288 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:51:30,981 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.
This looks like an automated task - notice the IDs
==================================================
2015-11-07 14:52:46,405 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [785]
2015-11-07 14:52:47,246 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [786]
2015-11-07 14:52:47,680 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [787]
2015-11-07 14:52:48,056 1 INFO db-test openerp.models.unlink: User #1 deleted ir.attachment records with IDs: [788]
Anonymous Request for an unknown URL resulting in 404
=====================================================
2015-11-07 14:52:48,169 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:52:48] "GET /themes/elastixneo/ie.css HTTP/1.0" 404 -
More automated fetchmail activity
=================================
2015-11-07 14:56:36,462 1 INFO db-test openerp.addons.fetchmail.fetchmail: start checking for new emails on imap server Google Apps
2015-11-07 14:56:37,348 1 INFO db-test openerp.addons.fetchmail.fetchmail: Fetched 0 email(s) on imap server Google Apps; 0 succeeded, 0 failed.
The request where it fails - notice the IDs
===========================================
2015-11-07 14:57:49,185 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET / HTTP/1.0" 200 -
2015-11-07 14:57:49,595 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/785-56abdf9/web.assets_common.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,960 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/786-0a4c00b/website.assets_frontend.0.css HTTP/1.0" 200 -
2015-11-07 14:57:49,971 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:49] "GET /web/content/316-c930da7/web_editor.summernote.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,011 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/318-9b2470c/web_editor.editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,026 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/345-19ca330/website.assets_editor.0.css HTTP/1.0" 200 -
2015-11-07 14:57:50,034 1 INFO db-test openerp.addons.base.ir.ir_attachment: _read_file reading /var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openerp/addons/base/ir/ir_attachment.py", line 151, in _file_read
r = open(full_path,'rb').read().encode('base64')
IOError: [Errno 2] No such file or directory: u'/var/lib/odoo/filestore/db-test/e6/e69e06808b908fc0d85ebfea58fbc7df3788e72e'
2015-11-07 14:57:50,035 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/787-56abdf9/web.assets_common.js HTTP/1.0" 200 -
2015-11-07 14:57:50,240 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/317-c930da7/web_editor.summernote.js HTTP/1.0" 200 -
2015-11-07 14:57:50,286 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/319-9b2470c/web_editor.editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,319 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/788-0a4c00b/website.assets_frontend.js HTTP/1.0" 200 -
2015-11-07 14:57:50,356 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /web/content/346-19ca330/website.assets_editor.js HTTP/1.0" 200 -
2015-11-07 14:57:50,639 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /logo.png HTTP/1.0" 200 -
2015-11-07 14:57:50,950 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:50] "GET /website/static/src/img/library/world.jpg HTTP/1.0" 200 -
2015-11-07 14:57:52,859 1 INFO ? werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/static/lib/fontawesome/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.0" 200 -
2015-11-07 14:57:52,880 1 INFO db-test werkzeug: 172.17.1.125 - - [07/Nov/2015 14:57:52] "GET /web/image/388 HTTP/1.0" 200 -
This file is an auto generated, compressed javascript file with all the common js assets for the website to function. Thus the site and app become unusable. Restoring the file fixes this problem temporarily. It is unclear if other files are going missing or not.
Done So Far:
Eliminated all the other elements of the set-up, including TLS/SSL, domain name, NginX, other instances (e.g. test etc)
Downloaded Crawl Errors (404s etc) from Google Webmaster Tools into a CSV and used wget to crawl these URLs on the website.
This resulted in the problem occurring instantly, and repeatedly, when I was logged in with a User set up with admin privileges (not sure if this matters or not, as not tested with a normal user)
This doesn't occur when the urls are requested when I am not logged in.
Conditions triggering the Problem:
This happens repeatably when the following conditions are met:
- A User is logged in (tested with a user that has administrative privileges, but not necessarily Administrator - not tested with a normal user)
- An Anonymous User (e.g. a web crawler/bot/etc) requests a URL
- The URL is unknown and results in a 404
- A new page request is made by the User logged in
I can now repeatably make this happen with the above conditions.
This still happens with the latest nightly build (set the ODOO_RELEASE to 20151109 in the Dockerfile to grab the latest available as of today).
At this point, it looks like a very concerning security issue, that an external, anonymous (not logged in) user can trigger a catastrophic file deletion inside the odoo software simply by requesting a URL that doesn't exist, which will happen with every site at some point. Has anyone else upgraded to v9 experienced this problem?
So now managed to determine a repeatable set of triggers to make this bug appear. This should be repeatable for anyone else to check out.
Bug Report on Github here: https://github.com/odoo/odoo/issues/9495
Check out the tests I just ran in your bug report.