diff --git a/openerp/addons/base/ir/ir_model.py b/openerp/addons/base/ir/ir_model.py index c8c7b77c441..25529d648d1 100644 --- a/openerp/addons/base/ir/ir_model.py +++ b/openerp/addons/base/ir/ir_model.py @@ -244,7 +244,8 @@ class ir_model_fields(osv.osv): 'translate': fields.boolean('Translatable', help="Whether values for this field can be translated (enables the translation mechanism for that field)"), 'size': fields.integer('Size'), 'state': fields.selection([('manual','Custom Field'),('base','Base Field')],'Type', required=True, readonly=True, select=1), - 'on_delete': fields.selection([('cascade','Cascade'),('set null','Set NULL')], 'On Delete', help='On delete property for many2one fields'), + 'on_delete': fields.selection([('cascade', 'Cascade'), ('set null', 'Set NULL'), ('restrict', 'Restrict')], + 'On Delete', help='On delete property for many2one fields'), 'domain': fields.char('Domain', help="The optional domain to restrict possible values for relationship fields, " "specified as a Python expression defining a list of triplets. " "For example: [('color','=','red')]"), diff --git a/openerp/tools/safe_eval.py b/openerp/tools/safe_eval.py index 4f39e1fd557..e4956d98958 100644 --- a/openerp/tools/safe_eval.py +++ b/openerp/tools/safe_eval.py @@ -46,6 +46,9 @@ __all__ = ['test_expr', 'safe_eval', 'const_eval'] # lp:703841), does import time. _ALLOWED_MODULES = ['_strptime', 'time'] +_UNSAFE_ATTRIBUTES = ['f_builtins', 'f_globals', 'f_locals', 'gi_frame', + 'co_code', 'func_globals'] + _CONST_OPCODES = set(opmap[x] for x in [ 'POP_TOP', 'ROT_TWO', 'ROT_THREE', 'ROT_FOUR', 'DUP_TOP', 'DUP_TOPX', 'POP_BLOCK','SETUP_LOOP', 'BUILD_LIST', 'BUILD_MAP', 'BUILD_TUPLE', @@ -118,7 +121,7 @@ def assert_no_dunder_name(code_obj, expr): .. note:: actually forbids every name containing 2 underscores """ for name in code_obj.co_names: - if "__" in name: + if "__" in name or name in _UNSAFE_ATTRIBUTES: raise NameError('Access to forbidden name %r (%r)' % (name, expr)) def assert_valid_codeobj(allowed_codes, code_obj, expr):