* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js
Consider the following scenario:
1- Login to system
2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js (this will give you site directory name)
3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data
The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders)
There should be a hot fix asap
```python
Traceback (innermost last):
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/app.py", line 57, in application
response = frappe.handler.handle()
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/handler.py", line 19, in handle
execute_cmd(cmd)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/handler.py", line 36, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/__init__.py", line 805, in call
return fn(*args, **newargs)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/client.py", line 79, in insert
parent.append(doc)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/model/base_document.py", line 130, in append
if not self.__dict__.get(key):
TypeError: unhashable type: 'dict'
```
```python
Traceback (innermost last):
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/app.py", line 57, in application
response = frappe.handler.handle()
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/handler.py", line 19, in handle
execute_cmd(cmd)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/handler.py", line 36, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/__init__.py", line 805, in call
return fn(*args, **newargs)
File "/usr/frappe5/frappe-bench/apps/frappe/frappe/client.py", line 78, in insert
parent = frappe.get_doc(doc.parenttype, doc.parent)
AttributeError: 'dict' object has no attribute 'parenttype'
```
- Frappe client use this submit function and failed due to doclist is actually a {dict} or a [list]. Both cannot have as_dict() function
- Seem like just a typo -> change to doclistobj instead.
