New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth_brute_force doesn't consider xmlrpc/jsonrpc login attempts #1125
Labels
Comments
👍 When I wrote this module, I just tested with Front UI attempts. regards. |
yajo
added a commit
to Tecnativa/server-tools
that referenced
this issue
Apr 12, 2018
To fix OCA#1125 I needed to refactor the addon. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. This PR is implemented assuming odoo/odoo#24187 will be merged and backported.
The fix is in #1219, let's continue there. |
yajo
added a commit
to Tecnativa/server-tools
that referenced
this issue
Apr 27, 2018
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo
added a commit
that referenced
this issue
May 18, 2018
To fix #1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 21, 2018
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 21, 2018
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 21, 2018
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (OCA/server-tools#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 21, 2018
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (OCA/server-tools#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views. [FIX] auth_brute_force: Fix addon requirement computation (OCA/server-tools#1251) Include HACK for odoo/odoo#24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 22, 2018
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo
added a commit
to Tecnativa/server-auth
that referenced
this issue
May 22, 2018
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo
added a commit
to Tecnativa/server-tools
that referenced
this issue
May 24, 2018
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
daramousk
pushed a commit
to daramousk/server-tools
that referenced
this issue
Jul 16, 2018
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
daramousk
pushed a commit
to daramousk/server-tools
that referenced
this issue
Oct 2, 2019
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah
pushed a commit
to kait-avalah/server-tools
that referenced
this issue
Jul 21, 2020
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah
pushed a commit
to kait-avalah/server-tools
that referenced
this issue
Jul 21, 2020
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah
pushed a commit
to kait-avalah/server-tools
that referenced
this issue
Aug 25, 2020
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this issue
Sep 5, 2022
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this issue
Sep 28, 2022
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this issue
Oct 10, 2022
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
dsolanki-initos
pushed a commit
to Nitrokey/odoo-server-auth
that referenced
this issue
Nov 30, 2022
…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's possible to circumvent
auth_brute_force
security by trying logins via xmlrpc/jsonrpc. The login attempts done this way are not checked by the module and do not count towards the failed attempts limit towards the ban.I would argue that the jsonrpc interface is the preferred one for bruteforcing tools, so IMO this limitation is non-negligible.
The text was updated successfully, but these errors were encountered: