vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
11295 commits 1 branch 0 tags 587 MiB
Commit graph

11295 commits

This branch
This branch
All branches
Author SHA1 Message Date
Nabin Hait
f84d843424 Merge pull request #2393 from nabinhait/hotfix 
[URGENT] Prevent accessing sensitive files in client.get_js
 2016-11-30 12:04:13 +05:30
exabakr
e9ca5ea9a6 [URGENT] Prevent accessing sensitive files in client.get_js 
Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js

Consider the following scenario:
1- Login to system
2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js  (this will give you site directory name)
3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data

The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders)

There should be a hot fix asap
 2016-11-30 12:02:57 +05:30
Revant Nandgaonkar
edca266862 Merge pull request #2392 from exabakr/patch-1 
[URGENT] Prevent accessing sensitive files in client.get_js
 2016-11-30 07:34:13 +05:30
exabakr
df6a1ce686 [URGENT] Prevent accessing sensitive files in client.get_js 
Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js

Consider the following scenario:
1- Login to system
2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js  (this will give you site directory name)
3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data

The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders)

There should be a hot fix asap
 2016-11-30 04:04:24 +03:00
Mohammed
61a3f3eda0 Delete rows that do not match the ones in the document without causing db deadlock 2016-11-29 18:11:21 +02:00
Rushabh Mehta
2a8902326d [feature] merge knowledge base in Frappe, fixes frappe/erpnext#6030" 2016-11-28 17:26:53 +05:30
shreyas
684bb80f8e [Minor] convert date type to string when field is set as 'set_only_once' or constant 2016-11-28 17:15:41 +05:30
Nabin Hait
4cf123bd8f Fixed merge conflict 2016-11-28 14:25:11 +05:30
Nabin Hait
f94bcf25c3 Merge branch 'hotfix' 2016-11-28 14:24:40 +05:30
Nabin Hait
c3ab1cf86b bumped to version 7.1.20 2016-11-28 14:54:40 +06:00
Makarand Bauskar
bf37e4a254 [minor] fixes for check_if_latest method (#2377) 2016-11-28 12:38:32 +05:30
Shreyas Patil
6f59a23f47 [Minor] Removed not available scheduler commands 'dump-queue-status' (#2385) 2016-11-28 12:38:20 +05:30
Saurabh
3952338b73 [urgent][fix] convert use_sandbox param to integer to avoid false data sandboxing (#2384) 2016-11-28 12:37:33 +05:30
paurosello
fe5a516673 Fix error missing fields on fixtures (#2378) 
Only name is currently taken from DB, other fields are mandatory to generate translations:

      File "/Users/pau/frappe-bench/env/lib/python2.7/site-packages/frappe/translate.py", line 407, in get_messages_from_custom_fields
        if cf['fieldtype'] == 'Selection' and cf.get('options'):
    KeyError: u'fieldtype'
 2016-11-28 12:35:47 +05:30
Rushabh Mehta
4bd2285159 File Based Locking at Document Level (#2374) 
* [redesign] improved locking in documents and redesigned recent documents

* [minor] patch to update doctype in existing documents
 2016-11-25 16:14:00 +05:30
paurosello
9e70ff8811 Missing fields in unordered list (#2373) 2016-11-25 16:11:49 +05:30
rohitwaghchaure
a7477d5641 Minor fix (#2371) 2016-11-25 16:11:18 +05:30
rohitwaghchaure
e03d56adb6 [Fix] Multiple letter head printing issue on print format (#2365) 2016-11-25 16:10:42 +05:30
robert schouten
570f242841 move newsletter to tools (#2370) 2016-11-25 16:10:07 +05:30
Viet Pham
ee02258999 Ability to publish realtime event from bench (#2369) 2016-11-25 16:09:36 +05:30
Faris Ansari
1fa7835661 [fix] redirect to 'Not Permitted' page (#2367) 2016-11-25 16:06:16 +05:30
robert schouten
ad4ebb1001 allow permission for communication based on timeline not just reference (#2366) 2016-11-25 16:02:31 +05:30
Shreyas Patil
8cb27f8366 [Docs] Added new article to add custom button to a form (#2364) 2016-11-25 16:01:57 +05:30
Faris Ansari
81ef23ab0b pdf prompt for orientation (#2358) 2016-11-25 16:01:00 +05:30
Nabin Hait
ce4e170adb Merge branch 'hotfix' 2016-11-23 14:48:48 +05:30
Nabin Hait
610ea6b47b Merge branch 'master' into develop 2016-11-23 14:48:48 +05:30
Nabin Hait
d39510f915 bumped to version 7.1.19 2016-11-23 15:18:48 +06:00
Nabin Hait
3337e3f9dc Merge pull request #2363 from RobertSchouten/chartfix 
[fix] charts dont get carried across reports
 2016-11-23 14:46:44 +05:30
robert schouten
25a9df4364 [fix] charts dont get carried across reports 2016-11-23 15:28:47 +08:00
Saurabh
d40d08fb66 [fix] check against all linked documents while canceling or deleting (#2360) 2016-11-22 22:18:38 +05:30
robert schouten
aed15c02ae add order_by to get_value and document (#2357) 2016-11-22 22:15:13 +05:30
Nabin Hait
4dea45109b Merge branch 'master' into develop 2016-11-22 17:16:40 +05:30
Nabin Hait
d3cfd0bbb4 Merge branch 'hotfix' 2016-11-22 17:16:39 +05:30
Nabin Hait
fc69d03dc8 bumped to version 7.1.18 2016-11-22 17:46:39 +06:00
Nabin Hait
17879397c7 Merge pull request #2359 from rmehta/print-format-builder-custom-html-fix 
[hot] [fix] editing multiple CUSTOM HTML values in field
 2016-11-22 13:48:34 +05:30
Rushabh Mehta
8d67b99166 [hot] [fix] editing multiple CUSTOM HTML values in field 2016-11-22 13:29:26 +05:30
Nabin Hait
f1f4f20cb9 Merge pull request #2355 from saurabh6790/append_empty_field_dict 
[fix] check for column field dict before appending child table data field
 2016-11-22 12:55:41 +05:30
Nabin Hait
6add60e054 Merge branch 'master' into develop 2016-11-22 12:16:12 +05:30
Nabin Hait
4940695966 Merge branch 'hotfix' 2016-11-22 12:16:11 +05:30
Nabin Hait
2adafeb95d bumped to version 7.1.17 2016-11-22 12:46:11 +06:00
Nabin Hait
9255c9589f Merge pull request #2356 from nabinhait/hotfix 
Cherry-picked "set last active time to user" from develop
 2016-11-22 12:14:48 +05:30
Saurabh
68186a4943 [fix] check if user exists while setting last active date 2016-11-22 12:12:42 +05:30
Saurabh
6b3bf22462 [enhance] set last active time to user 2016-11-22 12:12:34 +05:30
Saurabh
a5b7bff45a [fix] check for column field dict before appending child table data field 2016-11-22 11:53:11 +05:30
robert schouten
6917dea00e remove filter dash limit as no performance increase (#2318) 2016-11-22 10:55:59 +05:30
Rushabh Mehta
90bc926730 [minor] added flush feature in error log and apply filters from list only for link and select, fixes frappe/erpnext#6968 (#2350) 2016-11-22 10:55:43 +05:30
Rushabh Mehta
7c8652fbf2 [docs] added some style and some fixes (#2352) 2016-11-22 10:55:32 +05:30
Rushabh Mehta
a099690e8f Revert "[optimize] remove count(*) from queries" (#2353) 2016-11-22 10:55:13 +05:30
Nabin Hait
ae197c37b1 Merge branch 'hotfix' 2016-11-21 19:08:23 +05:30
Nabin Hait
188c7390eb Merge branch 'master' into develop 2016-11-21 19:08:23 +05:30