[FIX] hr_holidays: proper parameter passing syntax for raw SQL

This instance was not actually exploitable for SQL injection as it is not callable directly via RPC and guarded by other queries when indirectly called. Still plain awful.
2014-07-04 16:45:41 +02:00 · 2014-07-04 16:45:41 +02:00 · 1279ca0334
parent bf353998f2
commit 1279ca0334
1 changed files with 2 additions and 2 deletions
--- a/addons/hr_holidays/hr_holidays.py
+++ b/addons/hr_holidays/hr_holidays.py
@ -510,8 +510,8 @@ class hr_employee(osv.osv):
            where
                h.state='validate' and
                s.limit=False and
-                h.employee_id in (%s)
-            group by h.employee_id"""% (','.join(map(str,ids)),) )
+                h.employee_id in %s
+            group by h.employee_id""", (tuple(ids),))
        res = cr.dictfetchall()
        remaining = {}
        for r in res: