[fix] stock: potential sql injection vector in wizard/inventory_merge_zero

author Xavier Morel <xmo@tinyerp.com>

Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)

committer Xavier Morel <xmo@tinyerp.com>

Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)
author Xavier Morel <xmo@tinyerp.com>
Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)
committer Xavier Morel <xmo@tinyerp.com>
Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)
diff --git a/addons/stock/wizard/inventory_merge_zero.py b/addons/stock/wizard/inventory_merge_zero.py

index e5b5bed..8302115 100644 (file)
--- a/addons/stock/wizard/inventory_merge_zero.py
+++ b/addons/stock/wizard/inventory_merge_zero.py
@@ -53,11 +53,11 @@ def do_merge(self, cr, uid, data, context):
          raise wizard.except_wizard(_('Warning'),
                                     _('Please select one and only one inventory !'))
  
-    loc = str(data['form']['location_id'])
+    loc = data['form']['location_id']
  
      cr.execute('select distinct location_id,product_id from stock_inventory_line where inventory_id=%s', (data['ids'][0],))
      inv = cr.fetchall()
-    cr.execute('select distinct product_id from stock_move where (location_dest_id='+loc+') or (location_id='+loc+')')
+    cr.execute('select distinct product_id from stock_move where (location_dest_id=%(location_id)s) or (location_id=%(location_id)s)', data['form'])
      stock = cr.fetchall()
      for s in stock:
          if (loc,s[0]) not in inv:
author	Xavier Morel <xmo@tinyerp.com>
	Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)
committer	Xavier Morel <xmo@tinyerp.com>
	Wed, 24 Feb 2010 12:38:52 +0000 (13:38 +0100)