[MERGE] Make sure we pass only lists, tuples or dicts to Cursor.execute().

This fixes a call in the login code where a single untupled string was passed. Psycopg does not see the problem: it iterates over the string, and as long as the string length matches the number of needed parameters, everything seems fine. Yeah for dynamic typing and SQL queries. bzr revid: vmt@openerp.com-20121016125408-q537r71k5cisyxs0
2012-10-16 14:54:08 +02:00 · 2012-10-16 14:54:08 +02:00 · a3cef23827
parent 35df43c491 ae0a437aa6
commit a3cef23827
4 changed files with 39 additions and 3 deletions
--- a/openerp/addons/base/res/res_users.py
+++ b/openerp/addons/base/res/res_users.py
@ -409,8 +409,8 @@ class res_users(osv.osv):
                # prevent/delay login in that case. It will also have been logged
                # as a SQL error, if anyone cares.
                try:
-                    cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", str(user_id))
-                    cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", str(user_id))
+                    cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", (user_id,))
+                    cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", (user_id,))
                except Exception, e:
                    _logger.exception("Failed to update last_login for db:%s login:%s", db, login)
        except openerp.exceptions.AccessDenied:
--- a/openerp/sql_db.py
+++ b/openerp/sql_db.py
@ -215,6 +215,9 @@ class Cursor(object):
            _logger.warning(query)
            _logger.warning("SQL queries cannot contain %d or %f anymore. "
                         "Use only %s")
+        if params and not isinstance(params, (tuple, list, dict)):
+            _logger.error("SQL query parameters should be a tuple, list or dict; got %r", params)
+            raise ValueError("SQL query parameters should be a tuple, list or dict; got %r" % (params,))

        if self.sql_log:
            now = mdt.now()
--- a/openerp/tests/init.py
+++ b/openerp/tests/init.py
@ -9,7 +9,7 @@ See the :ref:`test-framework` section in the :ref:`features` list.
 """

 from . import test_expression, test_html_sanitize, test_ir_sequence, test_orm,\
-              test_view_validation, test_uninstall, test_misc
+              test_view_validation, test_uninstall, test_misc, test_db_cursor

 fast_suite = [
    test_ir_sequence,
@ -18,6 +18,7 @@ fast_suite = [
 checks = [
    test_expression,
    test_html_sanitize,
+    test_db_cursor,
    test_orm,
    test_view_validation,
    test_misc,
--- a/openerp/tests/test_db_cursor.py
+++ b/openerp/tests/test_db_cursor.py
@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+
+import unittest2
+
+import openerp
+from openerp.tools.misc import mute_logger
+import common
+
+DB = common.DB
+ADMIN_USER_ID = common.ADMIN_USER_ID
+
+def cursor():
+    return openerp.modules.registry.RegistryManager.get(DB).db.cursor()
+
+
+class test_cr_execute(unittest2.TestCase):
+    """ Try cr.execute with wrong parameters """
+
+    @mute_logger('openerp.sql_db')
+    def test_execute_bad_params(self):
+        """
+        Try to use iterable but non-list or int params in query parameters.
+        """
+        cr = cursor()
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE login=%s", 'admin')
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE id=%s", 1)
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE id=%s", '1')
+
+# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: