* Remove six for PY2 compatability since our dependencies are not, PY2
is legacy.
* Removed usages of utils from future/past libraries since they are
deprecated. This includes 'from __future__ ...' and 'from past...'
statements.
* Removed compatibility imports for PY2, switched from six imports to
standard library imports.
* Removed utils code blocks that handle operations depending on PY2/3
versions.
* Removed 'from __future__ ...' lines from templates/code generators
* Used PY3 syntaxes in place of PY2 compatible blocks. eg: metaclass
Initially there were no permission checks on child table, which made the
child table data exposable through the API. The fix issued in commit
807a300fd8 involved default denying
permission to access child tables via client.py . The current fix checks
the permissions on the parent doctype and allows access if the user has
access on the parent
* Fix docstring information to be clear
Updated the docstrings due to errors I encountered:
* `is_private` must be 1, normally would expect true or false
* `filedata` must be urlencoded base64 to work
* Update client.py
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
* dict.iteritems to six.iteritems(dict) for python3 compatibility
Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js
Consider the following scenario:
1- Login to system
2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js (this will give you site directory name)
3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data
The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders)
There should be a hot fix asap
