A Python developer from Kaunas, Lithuania.
GU d? -p+ c++ l++ u? e++ m+(++) s-/ !n h+ !f g- w+ t- r y?
Elsewhere: GitHub / GitLab / StackOverflow
- 2018 in cycling
- Custom authentication methods in Odoo HTTP controllers
- Odoo DoS via Document Attachments
- Typosquatting in Odoo App Store
- Odoo: DoS via XML-RPC
- Custom exception handlers in Odoo client
- Odoo CLI commands
- Odoo ORM Performance Tips
- Odoo App Store Licensing Issues
DisclosuresBelow is a list of security vulnerabilites I have discovered and disclosed (currently only in Odoo).
- Stored XSS in <redacted> module
- Remote code execution in <redacted>
- Public disclosure of git account credentials on Odoo Apps
- Auth bypass in website_mail module
Odoo addonsOver time, I have written a few Odoo addons, each of varying degree of usefulness. They are all available under either AGPL-3 or LGPL-3 license. Use at your own ~~peril~~ risk.
- connector_openproject - Unidirectional (OpenProject -> Odoo) connector. Available for: 10.0.
- payment_mistertango - Mistertango payment acquirer implementation. Available for: 10.0, 11.0.
- payment_paysera - Paysera payment acquirer implementation. Available for: 8.0, 10.0.
- sec_defused_document - Defuses XML based attacks possible through Odoo's document indexing feature. Available for: 11.0.
- sec_defused_xmlrpc - Mitigates several XML-based attacks which are possible via Odoo's XML-RPC. Available for: 9.0, 10.0, 11.0.
- sec_disable_db_manager - Disables Odoo database manager page and database management functions via XML/JSON RPC. Available for: 10.0.
- sec_disable_jsonrpc - Disables Odoo's JSON-RPC endpoint. Available for: 10.0, 11.0, 12.0.
- sec_disable_xmlrpc - Disables Odoo's XML-RPC endpoints. Available for: 9.0, 10.0, 11.0, 12.0.
- web_ir_actions_act_window_qr_code - Allows to easily display QR code pop-ups from Python code. Available for: 11.0, 12.0.
- website_ga_dnt - Disables the loading of Google Analytics scripts if the user has expressed a wish not to be tracked (via the Do Not Track header). Available for: 10.0, 11.0.
BitsThese are but short barfs not worthy of a separate post. Below are the few last ones. The rest are here. There is also a feed.
- # :
Starting with Odoo v11, the automatic calculation of the
stringattribute on model fields has become a bit smarter - the field name is titlecased instead of only capitalizing the first character and _id and _ids are removed from the end of the field name prior to titlecasing, allowing to omit the
stringattribute in even more cases.
- # :
intbased selection field support is scheduled for removal in Odoo 13.0.
- # :
Odoo has an
_unknownmodel which can be (and is) used as the co-model on relational fields when the actual model is not yet known (eg. in abstract mixin models). It will be automatically set by Odoo if no co-model is specified, but if you set it explicitly you will not get a warning.
- # :
In Odoo 12 a new
save_sessionwas introduced, which, if set to
False, will prevent a new session ID being generated and stored when the controller endpoint is called. This is useful for non-authenticated (
auth='none') endpoints where the session is not relevant (eg. JSON endpoints for API purposes) and prevents useless session files being stored.
- # :
In Odoo 11, if you stumble upon weird
TypeError: Model 'foo' does not exist in registry.errors while Odoo is just starting up in threaded mode (eg. during development) and you are certain that the
foomodel does exist, this might be due to an issue with addon preloading under Python 3, in which case setting
ODOO_PRELOAD_ADDONS=noin the shell environment should fix the issue. Or you could run Odoo in worker mode.