[FIX] avoid sql injection in sequences

lp bug: https://launchpad.net/bugs/512682 fixed

bzr revid: chs@tinyerp.com-20100203183255-21lh44tfloc01wqw

diff --git a/addons/account/sequence.py b/addons/account/sequence.py
index 02af766..8b38fe1 100644 (file)
--- a/addons/account/sequence.py
+++ b/addons/account/sequence.py
@@ -44,6 +44,8 @@ class ir_sequence(osv.osv):
         'fiscal_ids' : fields.one2many('account.sequence.fiscalyear', 'sequence_main_id', 'Sequences')
     }
     def get_id(self, cr, uid, sequence_id, test='id=%s', context={}):
+        if test not in ('id=%s', 'code=%s'):
+            raise ValueError('invalid test')
         cr.execute('select id from ir_sequence where '+test+' and active=%s', (sequence_id, True,))
         res = cr.dictfetchone()
         if res: