[IMP] orm.read_group: remove sql injection vector by forcing group_by to be valid field + assert grouped field is in the view

bzr revid: odo@openerp.com-20100913004840-cxnmii88bhqmnzmz
2010-09-13 02:48:40 +02:00 · 2010-09-13 02:48:40 +02:00 · 6eaec834d9
parent d5a8728994
commit 6eaec834d9
1 changed files with 11 additions and 5 deletions
--- a/bin/osv/orm.py
+++ b/bin/osv/orm.py
@ -2226,18 +2226,24 @@ class orm(orm_template):
        limit_str = limit and ' limit %d' % limit or ''
        offset_str = offset and ' offset %d' % offset or ''

+        assert not groupby or groupby in fields, "Fields in 'groupby' must appear in the list of fields to read (perhaps it's missing in the list view?)"
+
        fget = self.fields_get(cr, uid, fields)
        float_int_fields = filter(lambda x: fget[x]['type'] in ('float', 'integer'), fields)
        sum = {}
-
        flist = ''
        group_by = groupby
        if groupby:
-            if fget.get(groupby, False) and fget[groupby]['type'] in ('date', 'datetime'):
-                flist = "to_char(%s,'yyyy-mm') as %s " % (groupby, groupby)
-                groupby = "to_char(%s,'yyyy-mm')" % (groupby)
+            if fget.get(groupby, False):
+                if fget[groupby]['type'] in ('date', 'datetime'):
+                    flist = "to_char(%s,'yyyy-mm') as %s " % (groupby, groupby)
+                    groupby = "to_char(%s,'yyyy-mm')" % (groupby)
+                else:
+                    flist = groupby
            else:
-                flist = groupby
+                # Don't allow arbitrary values, as this would be a SQL injection vector! 
+                raise except_orm(_('Invalid group_by'),
+                                 _('Invalid group_by specification: "%s".\nA group_by specification must be a list of valid fields.')%(groupby,))


        fields_pre = [f for f in float_int_fields if