[IMP] orm.read_group: remove sql injection vector by forcing group_by to be valid field + assert grouped field is in the view
bzr revid: odo@openerp.com-20100913004840-cxnmii88bhqmnzmz
This commit is contained in:
parent
d5a8728994
commit
6eaec834d9
|
@ -2226,18 +2226,24 @@ class orm(orm_template):
|
||||||
limit_str = limit and ' limit %d' % limit or ''
|
limit_str = limit and ' limit %d' % limit or ''
|
||||||
offset_str = offset and ' offset %d' % offset or ''
|
offset_str = offset and ' offset %d' % offset or ''
|
||||||
|
|
||||||
|
assert not groupby or groupby in fields, "Fields in 'groupby' must appear in the list of fields to read (perhaps it's missing in the list view?)"
|
||||||
|
|
||||||
fget = self.fields_get(cr, uid, fields)
|
fget = self.fields_get(cr, uid, fields)
|
||||||
float_int_fields = filter(lambda x: fget[x]['type'] in ('float', 'integer'), fields)
|
float_int_fields = filter(lambda x: fget[x]['type'] in ('float', 'integer'), fields)
|
||||||
sum = {}
|
sum = {}
|
||||||
|
|
||||||
flist = ''
|
flist = ''
|
||||||
group_by = groupby
|
group_by = groupby
|
||||||
if groupby:
|
if groupby:
|
||||||
if fget.get(groupby, False) and fget[groupby]['type'] in ('date', 'datetime'):
|
if fget.get(groupby, False):
|
||||||
flist = "to_char(%s,'yyyy-mm') as %s " % (groupby, groupby)
|
if fget[groupby]['type'] in ('date', 'datetime'):
|
||||||
groupby = "to_char(%s,'yyyy-mm')" % (groupby)
|
flist = "to_char(%s,'yyyy-mm') as %s " % (groupby, groupby)
|
||||||
|
groupby = "to_char(%s,'yyyy-mm')" % (groupby)
|
||||||
|
else:
|
||||||
|
flist = groupby
|
||||||
else:
|
else:
|
||||||
flist = groupby
|
# Don't allow arbitrary values, as this would be a SQL injection vector!
|
||||||
|
raise except_orm(_('Invalid group_by'),
|
||||||
|
_('Invalid group_by specification: "%s".\nA group_by specification must be a list of valid fields.')%(groupby,))
|
||||||
|
|
||||||
|
|
||||||
fields_pre = [f for f in float_int_fields if
|
fields_pre = [f for f in float_int_fields if
|
||||||
|
|
Loading…
Reference in New Issue