Members mailing list archives

members@odoo-community.org

[security] upgrade of web_notify

by
Camptocamp SA, Guewen Baconnier
- 09/10/2018 06:35:54
A vulnerability has been fixed in the addon web_notify in versions 9.0, 10.0, 11.0. This addon is in https://github.com/OCA/web.

# Background

This module leverages the core notification system of Odoo and uses the bus channels to easily send notifications from the Backend's code. For this purpose, it adds 2 methods notify_info and notify_warning on the 'res.users' model.

Example from an Odoo method:

def action_confirm(self):
    self.env.user.notify_info('Order confirmed')

-> it will show a notification popup in the web interface of the current user, if the browser is still active on the web application.

# Problem Description

The notify methods are accessible from xml-rpc and there is no restriction for the target user of the notification. A user can send a notification crafted with malicious intention to another user. The other user has to be connected on Odoo to be vulnerable (receive the notification).

# Solution

The patch forbids users, except admin, to send notifications to other users.

Upgrade the OCA/web repository or apply one of the patch from: