Tryton News: Security Releate for issue8189

@ced wrote:

Synopsis

A vulnerability in tryton has been found by Cédric Krier.

With issue8189, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Impact

CVSS v3.0 Base Score: 4.3

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: None
  • Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.0: <=5.0.5
  • 4.8: <=4.8.9
  • 4.6: <=4.6.13
  • 4.4: <=4.4.18
  • 4.2: <=4.2.20

Non affected versions per series:

  • 5.0: >=5.0.6
  • 4.8: >=4.8.10
  • 4.6: >=4.6.14
  • 4.4: >=4.4.19
  • 4.2: >=4.2.21

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

Posts: 1

Participants: 1

Read full topic

Planet Python

Tryton News: Newsletter March 2019

@ced wrote:

This month a lot of work has been put on improving and modernize both clients but also on increasing the maintainability of the code.
We also want to remind you that the registration for Tryton Unconference at Marseille, the 4th-7th June is opened. Do not wait too much, the places are limited.

Contents:

Changes For The User

The AEAT303 Spanish report has been updated to follow the new format published this year.

The French chart of account has been updated to include the new accounts 442* from PCG 2019.

Now that the desktop client has dropped the support of GTK+2, we can use new widgets from GTK+3 such as the ShortcutsWindow. This window is displayed with the shortcut CTRL+F1 and provide a search functionality.

Another possibility with GTK+3 was to replace the filter popup window by a nicer Popover. This solved also a focus issue that happened on some window managers.

We changed the shortcut to switch tab to CTRL+Tab for desktop and ALT+Tab for web client. This is more natural for the user.

On the desktop client, we show first the login dialog before the main application window. This has a side effect that it is not possible to know the running version before being connected. As this can lead to some incomprehension if the user is using the wrong version to connect to a server, we display on the login dialog the version number.
Desktop login window with version number

The design of the CSV export/import on the web client was not in the best shape. So we put some effort to redesign it to be closer to the Tryton standard.
Before:

After:

On small screen with the web client, replacing search filter may be difficult. So we added a clear button when the input is filled for such case.

On the search filter popover, some kind of fields (e.g. date) are presented as a range. But to enter a equality clause, the user needs to fill both boundary entries with the exact same value. This is tedious. So we changed the range widget to automatically fill the end boundary with the value of the start boundary when this last is changed. It is still possible to create a range query by modifying the to value.

By default Tryton allows only to sale or purchase products that are marked respectively as salable and purchasable. But it happens that over time, we do no want anymore to sale or purchase a product. The problem is that existing orders may no more be valid because of such change. Now we check the flags only on draft and quotation state of the order and existing orders stay valid.

We have remove the mandatory option on analytic axis because it may break some automatic workflow which created document invalid according to the option. As we have since sometimes now a tool to show account lines for which the analytic axis were not completed.

Sometimes it is useful to be able to see quickly the deposit history of a customer. So we added a new relate link from the party form that displays their non-consumed deposit lines.

A frequent reported issue is that the size of dialogs are often too small on the desktop client. We have implemented a new algorithm that provides a better size by default.

We have improved the spacing of the reference field in the web client. Before this change, it could exceed the cell in an editable list.

Changes For The Developer

To be more compliant with HTTP status, the Tryton server will raise 429 TOO MANY REQUESTS when the login rate reach the limit. This gives also a more comprehensive error message to the user.

A request is retried a number of time if it encounters an database operational error. When such error comes from a lock failure which are performed with NO WAIT, the retries are often too fast for the other request to release the lock. So we have added an increasing delay between the retries.

In the last release, we added a Bus to the server which does long polling with the clients. But our main server is based on thread/fork. With big number of users, it can be very resource consuming to keep a thread for each long polling request. So we added an option to run the server using coroutine.
So now, the typical setup for performance is to run a thread/fork server and activate in the configuration the redirection of the bus requests to another Tryton server running with coroutine.

Until now the developer mode of the server (which activate the auto-reload on file changes) activated the debug level of the logging. It was considered annoying so we decoupled the log level from the developer mode. To increase the logging level, you just have to add more -v to the command line (or use a logging configuration).

The Model.fields_get method was a big function with all sort of tests per field type. It was not modular as the fields were hard-coded and it was difficult to maintain. We split the function between each fields which are now responsible of their own definition.
This allowed to provide the dimension and the geometry type for the Tryton GIS backend.

We added the missing support for width and height of the notebook on the web client.

We have modernized the Javascript of the web client and now we use getters and setters. This makes the Javascript code looks closer to the Python code from the desktop client.

We added the support of the window tab in the URL of the clients. This way they do not disappear when the page is reloaded and when the URL is shared.

Posts: 1

Participants: 1

Read full topic

Planet Python

Tryton News: Tryton Unconference 2019: In Marseille on the 6th & 7th of June

@nicoe wrote:

The Tryton Foundation is happy to announce the venue and date of the next Tryton Unconference.

We will go in the sunny city of Marseille in south of France on the 6th and 7th of June. Contrary to previous editions of the Tryton Unconferences the coding sprint will be organized during the two days preceding the conference.

Both events will take place at the École de Commerce et de Management. We will publish a website with more detailed informations shortly.

Many thanks to adiczion which is the organizer of this year event!

Posts: 1

Participants: 1

Read full topic

Planet Python

Tryton News: Newsletter February 2019

@ced wrote:

Tryton continues its road of improvements for more performance and more scaling.

Contents:

Changes For The User

The arrows on columns are now always synchronized with the actual order. If the order is not on a single column then all arrows are displayed.

The records created by XML files in modules are by default protected against modification and deletion. But if they have the attribute noupdate set, they can be modified. Now they can also be deleted and updating the database will not recreate them.

On the wizard that allows to pay multiple lines at once, we added back a field to define the date of the payment.

Refining a search in a long list can lead to no results on the actual page of the pagination.
This can be astonishing and annoying because the user may think that there is no result at all. To prevent this, now the client automatically reduces the pagination until it finds a result.

New Modules

account_statement_rule

The module allows rules to be defined to complete statement lines from imported files. When the “Apply Rule” button is clicked on a statement, each rule is tested in order, against each origin that does not have any lines, until one is found that matches. Then the rule found is used to create the statement lines linked to the origin. Get the account_statement_rule module.

Changes For The Developer

We added two tables ir.calendar.month and ir.calendar.day which store the translations of months and week days. This allowed to replace the hard-coded values to format time with locale and re-use the translation infrastructure.
In addition, it provides also a common way for modules to store month or day like in the payment term, instead of duplicate many times the same selections. All standard modules have been migrated.

An old constraint inherited from TinyERP was removed from analytic account. It checked that debit and credit were always positive. We finally remove it to follow the same design as the general accounting.

We use by default soffice to convert report into different formats. But sometime (rarely), soffice command does not stop and so it blocks the request for ever. In order to release the locks of the request transaction, we added a default timeout of 5 minutes to execute the conversion.

We added the option to have ModuleTestCase, the generic test case for a module, to run with extra modules installed. This is useful for module that have extra_depends so the depending code is also tested.

We have speed the startup time of trytond for about 10% by improving the depends computation of the fields.

The plugins for clients are small piece of code that are added to the client in order to preform some specific actions (usually to interact locally with the OS or to define a new widget). We can now define such plugins on the web client too.

Tryton supports a minimal cross-origin resource sharing mechanism. You just have to list the authorized origin in the configuration. For more complex rules, we advise to use a front-end proxy like nginx.

Thanks to the CORS support, we can now redirect the request for the bus to a different host or service. This allows to reduce the load on the main server.

We can now search on keys of Dict of fields using the Tryton’s ORM. On PostgreSQL back-end, Dict fields can be stored as a JSON. In this case, the database can use indexes to speed-up the query.
It is also possible to order the search result based on the keys of Dict fields.

The cache management has been improved to be more transactional. It has now a more transactional-like API by using sync, commit and rollback. Only committed data can be stored in it.

Some times it may be needed to lock a record or a list of records for the transaction. To simplify this task, we added a dualmethod ModelSQL.lock which takes care of the different ways to lock depending of the back-end.

Posts: 1

Participants: 1

Read full topic

Planet Python

Tryton News: Newsletter January 2019

@ced wrote:

The last month saw a lot of improvements for the developers. Those improvements follow the same trend of consolidating and unifying the Tryton design.

Contents:

Changes For The User

Since the addition of phone number validation, it requires to put the international prefix. But it is usual that users forget it. So now we try to validate the number using the prefix of the address country of the party or the companies party. Then the first valid prefix is stored with the number.

We have removed country code from all default languages. This eases to reuse them as base language for country specific, thanks to the translation cascading mechanism of Tryton.
– Remember, you can help :heart: translate Tryton on https://pootle.tryton.org/

Changes For The Developer

As search and sort on ModelView-only is not supported, the methods are automatically deactivated to avoid the client to emit calls that would fail and raise an error message to the user.

In account module the tax update from template was improved. When updating the chart from template on replacing taxes, former taxes are now de-activated instead of decoupled from the template.

The shipment reports (e.g. delivery note) now uses the correct moves for shipments.
When the inventory moves are empty, – which happen when the shipment locations are the same, – the other moves field will be used.
When a transit location is used for the internal shipment, the used moves field depends on the state. If it is already shipped, then the incoming moves are used to know where to store products. If it is not yet shipped, then the outgoing moves are used to pick the products.

Normally a party should have only one SEPA identifier but in order to ease extension we removed the unique constraint.

Until now the ModelStorage.read-API allows to read the field of the model but also the fields of Many2One and Reference targets. The API has been extended to read related xxx2Many fields. Reading a xxx2Many field results in a list of dictionaries with the requested values and always the id. The name of the key is suffixed by a dot, to avoid name space collisions. :warning: The former API for Many2One has been changed to stay consistent.

We always try to reduce the gap between web and desktop client. So we have implemented the widget attributes: expand, height and width into Sao.

By convention negative ids are reserved for non stored records. The client uses this convention when calling methods on unsaved records. We have decided to enforce this convention with a SQL constraint on every table which checks that the ID column contains a positive integer.

We changed the fallback unit of measure when calling get_sale_price. Before the default unit of the product was used but now it is the sale unit. This is performance improvement because we can now make a single call and retrieve the prices in the right unit for all the products. Before it would require to make a call per unit of measure. This new behavior is not adapted to the purchase module, because when purchasing it is the supplier which defines the unit of measure and not the buyer.

We finally solved a long standing issue with the error messages. The error messages on Model are replaced by records of the new model ir.message. A message can be retrieved translated and formatted by calling gettext method with the XML-ID.
User errors and warnings are now just exceptions raised with messages as arguments. This allows to create custom exceptions by inheriting the base ones for better control and testing.

We implemented the filtering of available models for the model selection of the Reference field, to fix a bug in domain inversion, when the client validates and forces a value depending on the domain.

Posts: 1

Participants: 1

Read full topic

Planet Python