[fix] mrp: potential sql injection vector

author Xavier Morel <xmo@tinyerp.com>

Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)

committer Xavier Morel <xmo@tinyerp.com>

Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)
author Xavier Morel <xmo@tinyerp.com>
Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)
committer Xavier Morel <xmo@tinyerp.com>
Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)
diff --git a/addons/mrp/mrp.py b/addons/mrp/mrp.py

index 7cac4a8..15c02ab 100644 (file)
--- a/addons/mrp/mrp.py
+++ b/addons/mrp/mrp.py
@@ -216,7 +216,7 @@ class mrp_bom(osv.osv):
      def _check_recursion(self, cr, uid, ids):
          level = 500
          while len(ids):
-            cr.execute('select distinct bom_id from mrp_bom where id in ('+','.join(map(str,ids))+')')
+            cr.execute('select distinct bom_id from mrp_bom where id in %s', (tuple(ids),))
              ids = filter(None, map(lambda x:x[0], cr.fetchall()))
              if not level:
                  return False
author	Xavier Morel <xmo@tinyerp.com>
	Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)
committer	Xavier Morel <xmo@tinyerp.com>
	Tue, 23 Feb 2010 12:47:48 +0000 (13:47 +0100)