Remove sql injection problem

lp bug: https://launchpad.net/bugs/429327 fixed bzr revid: hda@tinyerp.com-20091021072533-1p0q91xcxoj51k1n
2009-10-21 12:55:33 +05:30 · 2009-10-21 12:55:33 +05:30 · 8c64e3c18b
parent b7f6bc4c8e
commit 8c64e3c18b
5 changed files with 6 additions and 6 deletions
--- a/bin/addons/base/ir/ir_translation.py
+++ b/bin/addons/base/ir/ir_translation.py
@ -106,7 +106,7 @@ class ir_translation(osv.osv):
                'where lang=%s ' \
                    'and type=%s ' \
                    'and name=%s ' \
-                    'and res_id in ('+','.join(map(str,ids))+')',
+                    'and res_id in ('+','.join(map(str, ids))+')',
                (lang,tt,name))
        cr.commit()
        for id in ids:
--- a/bin/addons/base/module/module.py
+++ b/bin/addons/base/module/module.py
@ -65,7 +65,7 @@ class module_category(osv.osv):
    _description = "Module Category"

    def _module_nbr(self,cr,uid, ids, prop, unknow_none,context):
-        cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str,ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str,ids))+')) group by category_id')
+        cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str, ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str, ids))+')) group by category_id')
        result = dict(cr.fetchall())
        for id in ids:
            cr.execute('select id from ir_module_category where parent_id=%s', (id,))
--- a/bin/addons/base/res/ir_property.py
+++ b/bin/addons/base/res/ir_property.py
@ -58,7 +58,7 @@ class ir_property(osv.osv):
    }
    def unlink(self, cr, uid, ids, context={}):
        if ids:
-            cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str,ids))+')))')
+            cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str, ids))+')))')
        res = super(ir_property, self).unlink(cr, uid, ids, context)
        return res

--- a/bin/addons/base/res/partner/partner.py
+++ b/bin/addons/base/res/partner/partner.py
@ -70,7 +70,7 @@ class res_partner_category(osv.osv):
    def _check_recursion(self, cr, uid, ids):
        level = 100
        while len(ids):
-            cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str,ids))+')')
+            cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str, ids))+')')
            ids = filter(None, map(lambda x:x[0], cr.fetchall()))
            if not level:
                return False
@ -234,7 +234,7 @@ class res_partner(osv.osv):
        return True

    def address_get(self, cr, uid, ids, adr_pref=['default']):
-        cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,ids))+')')
+        cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,map(int, ids)))+')')
        res = cr.fetchall()
        adr = dict(res)
        # get the id of the (first) default address if there is one,
--- a/bin/addons/base/res/res_company.py
+++ b/bin/addons/base/res/res_company.py
@ -93,7 +93,7 @@ class res_company(osv.osv):
    def _check_recursion(self, cr, uid, ids):
        level = 100
        while len(ids):
-            cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str,ids))+')')
+            cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str, ids))+')')
            ids = filter(None, map(lambda x:x[0], cr.fetchall()))
            if not level:
                return False