From deae8d018a1c8275a28a6ace4f399143d11d146e Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Mon, 22 Feb 2010 12:52:24 +0100 Subject: [PATCH] [fix] hr_expense: potential sql injection vectors bzr revid: xmo@tinyerp.com-20100222115224-wj9bx82utze55e1n --- addons/hr_expense/hr_expense.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/addons/hr_expense/hr_expense.py b/addons/hr_expense/hr_expense.py index f0fda12..912cfdf 100644 --- a/addons/hr_expense/hr_expense.py +++ b/addons/hr_expense/hr_expense.py @@ -39,10 +39,13 @@ class hr_expense_expense(osv.osv): return super(hr_expense_expense, self).copy(cr, uid, id, default, context) def _amount(self, cr, uid, ids, field_name, arg, context): - id_set = ",".join(map(str, ids)) - cr.execute("SELECT s.id,COALESCE(SUM(l.unit_amount*l.unit_quantity),0) AS amount FROM hr_expense_expense s LEFT OUTER JOIN hr_expense_line l ON (s.id=l.expense_id) WHERE s.id IN ("+id_set+") GROUP BY s.id ") - res = dict(cr.fetchall()) - return res + cr.execute("SELECT s.id, "\ + "COALESCE(SUM(l.unit_amount*l.unit_quantity),0) AS amount "\ + "FROM hr_expense_expense s "\ + "LEFT OUTER JOIN hr_expense_line l ON (s.id=l.expense_id) "\ + "WHERE s.id IN %s GROUP BY s.id ", + (tuple(ids),)) + return dict(cr.fetchall()) def _get_currency(self, cr, uid, context): user = self.pool.get('res.users').browse(cr, uid, [uid])[0] @@ -188,10 +191,11 @@ class hr_expense_line(osv.osv): def _amount(self, cr, uid, ids, field_name, arg, context): if not len(ids): return {} - id_set = ",".join(map(str, ids)) - cr.execute("SELECT l.id,COALESCE(SUM(l.unit_amount*l.unit_quantity),0) AS amount FROM hr_expense_line l WHERE id IN ("+id_set+") GROUP BY l.id ") - res = dict(cr.fetchall()) - return res + cr.execute("SELECT l.id, "\ + "COALESCE(SUM(l.unit_amount*l.unit_quantity),0) AS amount "\ + "FROM hr_expense_line l WHERE id IN %s "\ + "GROUP BY l.id", (tuple(ids),)) + return dict(cr.fetchall()) _columns = { 'name': fields.char('Short Description', size=128, required=True), -- 1.7.10.4