[FIX] hr_holidays: proper parameter passing syntax for raw SQL

This instance was not actually exploitable for
SQL injection as it is not callable directly
via RPC and guarded by other queries when indirectly
called. Still plain awful.

diff --git a/addons/hr_holidays/hr_holidays.py b/addons/hr_holidays/hr_holidays.py
index 6a55403..793ab24 100644 (file)
--- a/addons/hr_holidays/hr_holidays.py
+++ b/addons/hr_holidays/hr_holidays.py
@@ -510,8 +510,8 @@ class hr_employee(osv.osv):
             where
                 h.state='validate' and
                 s.limit=False and
-                h.employee_id in (%s)
-            group by h.employee_id"""% (','.join(map(str,ids)),) )
+                h.employee_id in %s
+            group by h.employee_id""", (tuple(ids),))
         res = cr.dictfetchall()
         remaining = {}
         for r in res: