From d0c4cca10e5632345fb7e9ebd670a1b5ec01c0cd Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Thu, 7 Feb 2013 18:34:39 +0100
Subject: [PATCH] [FIX] web: properly encode db and addons URL parameters

Passing the values unescaped could be a source of errors
and a XSS vector.

lp bug: https://launchpad.net/bugs/1118365 fixed

bzr revid: odo@openerp.com-20130207173439-ud5fos61d4pcoe2d
---
 addons/web/controllers/main.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
index 8455fbafcd6..9fe38a9d23a 100644
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -13,6 +13,7 @@ import os
 import re
 import simplejson
 import time
+import urllib
 import urllib2
 import xmlrpclib
 import zlib
@@ -294,9 +295,9 @@ def manifest_list(req, extension, mods=None, db=None):
     if not req.debug:
         path = '/web/webclient/' + extension
         if mods is not None:
-            path += '?mods=' + mods
+            path += '?' + urllib.urlencode({'mods': mods})
         elif db:
-            path += '?db=' + db
+            path += '?' + urllib.urlencode({'db': db})
         return [path]
     files = manifest_glob(req, extension, addons=mods, db=db)
     i_am_diabetic = req.httprequest.environ["QUERY_STRING"].count("no_sugar") >= 1 or \