From 8c64e3c18b4614043aea37c2bbefb633b467809b Mon Sep 17 00:00:00 2001 From: "HDA (OpenERP)" Date: Wed, 21 Oct 2009 12:55:33 +0530 Subject: [PATCH] Remove sql injection problem lp bug: https://launchpad.net/bugs/429327 fixed bzr revid: hda@tinyerp.com-20091021072533-1p0q91xcxoj51k1n --- bin/addons/base/ir/ir_translation.py | 2 +- bin/addons/base/module/module.py | 2 +- bin/addons/base/res/ir_property.py | 2 +- bin/addons/base/res/partner/partner.py | 4 ++-- bin/addons/base/res/res_company.py | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/addons/base/ir/ir_translation.py b/bin/addons/base/ir/ir_translation.py index a03e100..8e2a6d9 100644 --- a/bin/addons/base/ir/ir_translation.py +++ b/bin/addons/base/ir/ir_translation.py @@ -106,7 +106,7 @@ class ir_translation(osv.osv): 'where lang=%s ' \ 'and type=%s ' \ 'and name=%s ' \ - 'and res_id in ('+','.join(map(str,ids))+')', + 'and res_id in ('+','.join(map(str, ids))+')', (lang,tt,name)) cr.commit() for id in ids: diff --git a/bin/addons/base/module/module.py b/bin/addons/base/module/module.py index ced645f..44e14e6 100644 --- a/bin/addons/base/module/module.py +++ b/bin/addons/base/module/module.py @@ -65,7 +65,7 @@ class module_category(osv.osv): _description = "Module Category" def _module_nbr(self,cr,uid, ids, prop, unknow_none,context): - cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str,ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str,ids))+')) group by category_id') + cr.execute('select category_id,count(*) from ir_module_module where category_id in ('+','.join(map(str, ids))+') or category_id in (select id from ir_module_category where parent_id in ('+','.join(map(str, ids))+')) group by category_id') result = dict(cr.fetchall()) for id in ids: cr.execute('select id from ir_module_category where parent_id=%s', (id,)) diff --git a/bin/addons/base/res/ir_property.py b/bin/addons/base/res/ir_property.py index 10487bc..952c329 100644 --- a/bin/addons/base/res/ir_property.py +++ b/bin/addons/base/res/ir_property.py @@ -58,7 +58,7 @@ class ir_property(osv.osv): } def unlink(self, cr, uid, ids, context={}): if ids: - cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str,ids))+')))') + cr.execute('delete from ir_model_fields where id in (select fields_id from ir_property where (fields_id is not null) and (id in ('+','.join(map(str, ids))+')))') res = super(ir_property, self).unlink(cr, uid, ids, context) return res diff --git a/bin/addons/base/res/partner/partner.py b/bin/addons/base/res/partner/partner.py index 53d1b3f..82acd80 100644 --- a/bin/addons/base/res/partner/partner.py +++ b/bin/addons/base/res/partner/partner.py @@ -70,7 +70,7 @@ class res_partner_category(osv.osv): def _check_recursion(self, cr, uid, ids): level = 100 while len(ids): - cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str,ids))+')') + cr.execute('select distinct parent_id from res_partner_category where id in ('+','.join(map(str, ids))+')') ids = filter(None, map(lambda x:x[0], cr.fetchall())) if not level: return False @@ -234,7 +234,7 @@ class res_partner(osv.osv): return True def address_get(self, cr, uid, ids, adr_pref=['default']): - cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,ids))+')') + cr.execute('select type,id from res_partner_address where partner_id in ('+','.join(map(str,map(int, ids)))+')') res = cr.fetchall() adr = dict(res) # get the id of the (first) default address if there is one, diff --git a/bin/addons/base/res/res_company.py b/bin/addons/base/res/res_company.py index 6b19de4..1a0b4fe 100644 --- a/bin/addons/base/res/res_company.py +++ b/bin/addons/base/res/res_company.py @@ -93,7 +93,7 @@ class res_company(osv.osv): def _check_recursion(self, cr, uid, ids): level = 100 while len(ids): - cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str,ids))+')') + cr.execute('select distinct parent_id from res_company where id in ('+','.join(map(str, ids))+')') ids = filter(None, map(lambda x:x[0], cr.fetchall())) if not level: return False -- 1.7.10.4