[FIX] hr_holidays: proper parameter passing syntax for raw SQL
This instance was not actually exploitable for SQL injection as it is not callable directly via RPC and guarded by other queries when indirectly called. Still plain awful.
This commit is contained in:
parent
bf353998f2
commit
1279ca0334
|
@ -510,8 +510,8 @@ class hr_employee(osv.osv):
|
|||
where
|
||||
h.state='validate' and
|
||||
s.limit=False and
|
||||
h.employee_id in (%s)
|
||||
group by h.employee_id"""% (','.join(map(str,ids)),) )
|
||||
h.employee_id in %s
|
||||
group by h.employee_id""", (tuple(ids),))
|
||||
res = cr.dictfetchall()
|
||||
remaining = {}
|
||||
for r in res:
|
||||
|
|
Loading…
Reference in New Issue