Bugfix: sql injection
bzr revid: fp@tinyerp.com-185a6fceab3500c8ae5d014c28294490449db5be
This commit is contained in:
parent
93c1ece135
commit
05f36310ed
|
@ -62,6 +62,8 @@ import tools
|
||||||
prof = 0
|
prof = 0
|
||||||
ID_MAX = 1000
|
ID_MAX = 1000
|
||||||
|
|
||||||
|
regex_order = re.compile('^([a-zA-Z0-9_]+( desc)?,?)+$')
|
||||||
|
|
||||||
def intersect(la, lb):
|
def intersect(la, lb):
|
||||||
return filter(lambda x: x in lb, la)
|
return filter(lambda x: x in lb, la)
|
||||||
|
|
||||||
|
@ -1950,6 +1952,7 @@ class orm(object):
|
||||||
joins=[]
|
joins=[]
|
||||||
while i<len(args):
|
while i<len(args):
|
||||||
table=self
|
table=self
|
||||||
|
assert args[i][1] in ('like','ilike','not in','inselect','child_of','in','=','<>','<','>','>=','<='), 'Error ! Bad clause operand "%s".' % (args[i][1],)
|
||||||
if args[i][1] == 'inselect':
|
if args[i][1] == 'inselect':
|
||||||
raise except_orm('ValidateError',
|
raise except_orm('ValidateError',
|
||||||
'The clause \'inselect\' can not be used outside the orm!')
|
'The clause \'inselect\' can not be used outside the orm!')
|
||||||
|
@ -2187,6 +2190,11 @@ class orm(object):
|
||||||
qu1.append(' (1=0)')
|
qu1.append(' (1=0)')
|
||||||
return (qu1,qu2,tables)
|
return (qu1,qu2,tables)
|
||||||
|
|
||||||
|
def _check_qorder(self, word):
|
||||||
|
if not regex_order.match(word):
|
||||||
|
raise except_orm('AccessError', 'Bad query.')
|
||||||
|
return True
|
||||||
|
|
||||||
def search_count(self, cr, user, args, context=None):
|
def search_count(self, cr, user, args, context=None):
|
||||||
if not context:
|
if not context:
|
||||||
context = {}
|
context = {}
|
||||||
|
@ -2206,6 +2214,9 @@ class orm(object):
|
||||||
qu1 = ' where '+string.join(qu1,' and ')
|
qu1 = ' where '+string.join(qu1,' and ')
|
||||||
else:
|
else:
|
||||||
qu1 = ''
|
qu1 = ''
|
||||||
|
|
||||||
|
if order:
|
||||||
|
self._check_qorder(order)
|
||||||
order_by = order or self._order
|
order_by = order or self._order
|
||||||
|
|
||||||
limit_str = limit and ' limit %d' % limit or ''
|
limit_str = limit and ' limit %d' % limit or ''
|
||||||
|
|
Loading…
Reference in New Issue