From 11051f32e0ff2cc65a65311f76415996242fac67 Mon Sep 17 00:00:00 2001 From: Raphael Collet Date: Mon, 15 Oct 2012 12:01:48 +0200 Subject: [PATCH] [FIX] res_users.login: fix query parameters in cr.execute bzr revid: rco@openerp.com-20121015100148-pkanx35vr6fqojuj --- openerp/addons/base/res/res_users.py | 4 ++-- openerp/sql_db.py | 3 +++ openerp/tests/test_db_cursor.py | 36 ++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 openerp/tests/test_db_cursor.py diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py index a1c06a52494..14673ce118f 100644 --- a/openerp/addons/base/res/res_users.py +++ b/openerp/addons/base/res/res_users.py @@ -409,8 +409,8 @@ class res_users(osv.osv): # prevent/delay login in that case. It will also have been logged # as a SQL error, if anyone cares. try: - cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", str(user_id)) - cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", str(user_id)) + cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", (user_id,)) + cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", (user_id,)) except Exception, e: _logger.exception("Failed to update last_login for db:%s login:%s", db, login) except openerp.exceptions.AccessDenied: diff --git a/openerp/sql_db.py b/openerp/sql_db.py index a6ebcd0300f..f18414bdff8 100644 --- a/openerp/sql_db.py +++ b/openerp/sql_db.py @@ -215,6 +215,9 @@ class Cursor(object): _logger.warning(query) _logger.warning("SQL queries cannot contain %d or %f anymore. " "Use only %s") + if params and not isinstance(params, (tuple, list, dict)): + _logger.error("SQL query parameters should be a tuple, list or dict; got %r", params) + raise ValueError("SQL query parameters should be a tuple, list or dict; got %r" % (params,)) if self.sql_log: now = mdt.now() diff --git a/openerp/tests/test_db_cursor.py b/openerp/tests/test_db_cursor.py new file mode 100644 index 00000000000..97e3225d0aa --- /dev/null +++ b/openerp/tests/test_db_cursor.py @@ -0,0 +1,36 @@ +# -*- coding: utf-8 -*- +# Run with one of these commands: +# > OPENERP_ADDONS_PATH='../../addons/trunk' OPENERP_PORT=8069 \ +# OPENERP_DATABASE=yy PYTHONPATH=. python tests/test_ir_sequence.py +# > OPENERP_ADDONS_PATH='../../addons/trunk' OPENERP_PORT=8069 \ +# OPENERP_DATABASE=yy nosetests tests/test_ir_sequence.py +# > OPENERP_ADDONS_PATH='../../../addons/trunk' OPENERP_PORT=8069 \ +# OPENERP_DATABASE=yy PYTHONPATH=../:. unit2 test_ir_sequence +# This assume an existing database. + +import unittest2 + +import openerp +import common + +DB = common.DB +ADMIN_USER_ID = common.ADMIN_USER_ID + +def cursor(): + return openerp.modules.registry.RegistryManager.get(DB).db.cursor() + + +class test_ir_sequence_standard(unittest2.TestCase): + """ Try cr.execute with wrong parameters """ + + def test_execute_bad_params(self): + """ Try to use non-iterable in query parameters. """ + cr = cursor() + with self.assertRaises(ValueError): + cr.execute("SELECT id FROM res_users WHERE login=%s", 'admin') + with self.assertRaises(ValueError): + cr.execute("SELECT id FROM res_users WHERE id=%s", 1) + with self.assertRaises(ValueError): + cr.execute("SELECT id FROM res_users WHERE id=%s", '1') + +# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: