From 05f36310edd268ac5bdc137d3efe209abaf687ef Mon Sep 17 00:00:00 2001
From: Fabien Pinckaers <fp@tinyerp.com>
Date: Mon, 26 May 2008 18:33:33 +0000
Subject: [PATCH] Bugfix: sql injection

bzr revid: fp@tinyerp.com-185a6fceab3500c8ae5d014c28294490449db5be
---
 bin/osv/orm.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/bin/osv/orm.py b/bin/osv/orm.py
index e799bf8c52f..14491110a04 100644
--- a/bin/osv/orm.py
+++ b/bin/osv/orm.py
@@ -62,6 +62,8 @@ import tools
 prof = 0
 ID_MAX = 1000
 
+regex_order = re.compile('^([a-zA-Z0-9_]+( desc)?,?)+$')
+
 def intersect(la, lb):
 	return filter(lambda x: x in lb, la)
 
@@ -1950,6 +1952,7 @@ class orm(object):
 		joins=[]
 		while i<len(args):
 			table=self
+			assert args[i][1] in ('like','ilike','not in','inselect','child_of','in','=','<>','<','>','>=','<='), 'Error ! Bad clause operand "%s".' % (args[i][1],)
 			if args[i][1] == 'inselect':
 				raise except_orm('ValidateError',
 						'The clause \'inselect\' can not be used outside the orm!')
@@ -2187,6 +2190,11 @@ class orm(object):
 					qu1.append(' (1=0)')
 		return (qu1,qu2,tables)
 
+	def _check_qorder(self, word):
+		if not regex_order.match(word):
+			raise except_orm('AccessError', 'Bad query.')
+		return True
+
 	def search_count(self, cr, user, args, context=None):
 		if not context:
 			context = {}
@@ -2206,6 +2214,9 @@ class orm(object):
 			qu1 = ' where '+string.join(qu1,' and ')
 		else:
 			qu1 = ''
+
+		if order:
+			self._check_qorder(order)
 		order_by = order or self._order
 
 		limit_str = limit and ' limit %d' % limit or ''