From b17b2a2eb7c43017970a70bb4d7c8c6c239d6804 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Fri, 19 Aug 2016 02:47:19 +0200 Subject: [PATCH] [FIX] http: do not allow passing spaces around db in URL param Until 9.0 our psycopg2 DSN connection strings do not allow having spaces within the db name, and passing some can cause duplicate registries to be loaded. Stripping spaces is a simple workaround until we actually support spaces within db names. Fixes #13078 --- addons/web/controllers/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py index 3aa01cff047..1eacdbf0942 100644 --- a/addons/web/controllers/main.py +++ b/addons/web/controllers/main.py @@ -101,7 +101,7 @@ def ensure_db(redirect='/web/database/selector'): # If the db is taken out of a query parameter, it will be checked against # `http.db_filter()` in order to ensure it's legit and thus avoid db # forgering that could lead to xss attacks. - db = request.params.get('db') + db = request.params.get('db') and request.params.get('db').strip() # Ensure db is legit if db and db not in http.db_filter([db]):