vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
No description
10969 commits 1 branch 0 tags 587 MiB
Find a file
exabakr e9ca5ea9a6 [URGENT] Prevent accessing sensitive files in client.get_js 
Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js

Consider the following scenario:
1- Login to system
2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js  (this will give you site directory name)
3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data

The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders)

There should be a hot fix asap
2016-11-30 12:02:57 +05:30
ci add my_config patch to travis 2014-10-12 18:54:44 +05:30
frappe [URGENT] Prevent accessing sensitive files in client.get_js 2016-11-30 12:02:57 +05:30
test_sites [refactor] Language is now a doctype (#2003) 2016-08-23 16:38:03 +05:30
.gitignore [docs] remove /docs/current from repo, since they will be created during build 2016-02-04 17:09:01 +05:30
.travis.yml [Minor] Replace new installer in travis.yml 2016-08-01 17:20:01 +05:30
attributions.md Charts on reports / activity page, deprecated flot library 2016-05-26 15:27:13 +05:30
CONTRIBUTING.md Update CONTRIBUTING.md 2015-05-13 00:44:53 +05:30
hooks.md Web Notes to Frappe, better alerts, css fixes, fixed splash 2015-03-03 15:09:34 +05:30
license.txt [minor] year update (#1983) 2016-08-17 10:25:38 +05:30
MANIFEST.in Fixed manifest and website 2014-06-09 13:21:57 +05:30
README.md [setup-docs] generate docs and static pages 2015-10-27 10:57:25 +05:30
requirements.txt [Fix] Multiple letter head printing issue on print format (#2365) 2016-11-25 16:10:42 +05:30
setup.py [fix] change in versioning: store __version__ in __init__.py 2016-06-09 16:08:59 +05:30
socketio.js [fix] use currentsite.txt only if host is localhost 2016-07-29 07:59:07 +05:30

README.md

Frappe Framework

Build Status

Full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Built for ERPNext

Installation

Install via Frappe Bench

Website

For details and documentation, see the website

https://frappe.io

License

MIT License