Protect critical paths in Odoo #49
Assignees
Labels
Comments
yajo
added a commit
that referenced
this issue
Jul 12, 2017
These paths include: - `/web/database/*` - `/website/info` Defaults are to use the same user as the database user, and the same password as the odoo admin password, but there's actually nothing preventing you from changing that. Just play a bit with the labels. Fix #49.
|
Fixed in e6f495e. |
yajo
added a commit
that referenced
this issue
Jul 13, 2017
It's common to have production data copied to demos, so its security level should be the same. This fixes #49 for test environments too.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
These paths:
/web/database/*/website/infocan be considered critical because they offer world-wide read access to data that some people can consider sensitive, such as database names and installed addon names.
Not exactly fully critical, but can make some attacks easier.
Security patch will land in the scaffolding to protect these by default, by asking HTTP auth where you will have to know the odoo database user and the admin password to get read access there, getting benefit of recently landed feature in Traefik (traefik/traefik#1147).
It should only affect production.
The text was updated successfully, but these errors were encountered: