projects
/
odoo
/
odoo.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
bf35399
)
[FIX] hr_holidays: proper parameter passing syntax for raw SQL
author
Olivier Dony
<odo@openerp.com>
Fri, 4 Jul 2014 14:45:41 +0000
(16:45 +0200)
committer
Olivier Dony
<odo@openerp.com>
Fri, 4 Jul 2014 14:45:41 +0000
(16:45 +0200)
This instance was not actually exploitable for
SQL injection as it is not callable directly
via RPC and guarded by other queries when indirectly
called. Still plain awful.
addons/hr_holidays/hr_holidays.py
patch
|
blob
|
history
diff --git
a/addons/hr_holidays/hr_holidays.py
b/addons/hr_holidays/hr_holidays.py
index
6a55403
..
793ab24
100644
(file)
--- a/
addons/hr_holidays/hr_holidays.py
+++ b/
addons/hr_holidays/hr_holidays.py
@@
-510,8
+510,8
@@
class hr_employee(osv.osv):
where
h.state='validate' and
s.limit=False and
- h.employee_id in (%s)
- group by h.employee_id"""% (','.join(map(str,ids)),) )
+ h.employee_id in %s
+ group by h.employee_id""", (tuple(ids),))
res = cr.dictfetchall()
remaining = {}
for r in res: