Remove sql injection problem

lp bug: https://launchpad.net/bugs/429327 fixed bzr revid: hda@tinyerp.com-20091021072449-rc9usc422tb0kv2f
2009-10-21 12:54:49 +05:30 · 2009-10-21 12:54:49 +05:30 · b7f6bc4c8e
parent 251b6720ca
commit b7f6bc4c8e
46 changed files with 2027 additions and 1960 deletions
--- a/addons/account/account.py
+++ b/addons/account/account.py
@ -729,7 +729,7 @@ class account_move(osv.osv):

    def _amount_compute(self, cr, uid, ids, name, args, context, where =''):
        if not ids: return {}
-        cr.execute('select move_id,sum(debit) from account_move_line where move_id in ('+','.join(map(str,ids))+') group by move_id')
+        cr.execute('select move_id,sum(debit) from account_move_line where move_id in ('+','.join(map(str,map(int, ids)))+') group by move_id')
        result = dict(cr.fetchall())
        for id in ids:
            result.setdefault(id, 0.0)
--- a/addons/account/invoice.py
+++ b/addons/account/invoice.py
@ -397,7 +397,7 @@ class account_invoice(osv.osv):
                l.id \
            from account_move_line l \
                left join account_invoice i on (i.move_id=l.move_id) \
-            where i.id in ('+','.join(map(str,ids))+') and l.account_id=i.account_id')
+            where i.id in ('+','.join(map(str,map(int, ids)))+') and l.account_id=i.account_id')
        res = map(lambda x: x[0], cr.fetchall())
        return res

--- a/addons/account_payment/account_move_line.py
+++ b/addons/account_payment/account_move_line.py
@ -42,7 +42,7 @@ class account_move_line(osv.osv):
                        WHERE move_line_id = ml.id
                        AND po.state != 'cancel') as amount
                    FROM account_move_line ml
-                    WHERE id in (%s)""" % (",".join(map(str, ids))))
+                    WHERE id in (%s)""" % (",".join(map(str,map(int, ids)))))
        r=dict(cr.fetchall())
        return r

--- a/addons/analytic_journal_billing_rate/terp.py
+++ b/addons/analytic_journal_billing_rate/terp.py
@ -19,7 +19,6 @@
 #
 ##############################################################################

-
 {
    'name': 'Analytic Journal Billing Rate',
    'version': '1.0',
--- a/addons/auction/barcode/init.py
+++ b/addons/auction/barcode/init.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 1996-2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/code128.py
+++ b/addons/auction/barcode/code128.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/code39.py
+++ b/addons/auction/barcode/code39.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 1996-2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/code93.py
+++ b/addons/auction/barcode/code93.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/common.py
+++ b/addons/auction/barcode/common.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 1996-2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/fourstate.py
+++ b/addons/auction/barcode/fourstate.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/auction/barcode/test.py
+++ b/addons/auction/barcode/test.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #!/usr/bin/python
 from common import *
 from code39 import *
--- a/addons/auction/barcode/usps.py
+++ b/addons/auction/barcode/usps.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright (c) 1996-2000 Tyler C. Sarna <tsarna@sarna.org>
 # All rights reserved.
--- a/addons/base_module_quality/init.py
+++ b/addons/base_module_quality/init.py
@ -1,4 +1,4 @@
-# -*- encoding: utf-8 -*-
+# -*- coding: utf-8 -*-
 ##############################################################################
 #
 #    OpenERP, Open Source Management Solution
--- a/addons/base_module_quality/terp.py
+++ b/addons/base_module_quality/terp.py
@ -1,4 +1,4 @@
-# -*- encoding: utf-8 -*-
+# -*- coding: utf-8 -*-
 ##############################################################################
 #
 #    OpenERP, Open Source Management Solution
--- a/addons/base_module_quality/base_module_quality.py
+++ b/addons/base_module_quality/base_module_quality.py
@ -1,4 +1,4 @@
-# -*- encoding: utf-8 -*-
+# -*- coding: utf-8 -*-
 ##############################################################################
 #
 #    OpenERP, Open Source Management Solution
--- a/addons/base_report_designer/wizard/tiny_sxw2rml/tiny_sxw2rml.py
+++ b/addons/base_report_designer/wizard/tiny_sxw2rml/tiny_sxw2rml.py
@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 ##############################################################################
 #
@ -21,7 +20,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 ##############################################################################
-
+#!/usr/bin/python
 """
 Tiny SXW2RML - The Open ERP's report engine

--- a/addons/hr_holidays/migrations/1.5/post-00-change-requests-signs.py
+++ b/addons/hr_holidays/migrations/1.5/post-00-change-requests-signs.py
@ -1,3 +1,23 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#    
+#    OpenERP, Open Source Management Solution
+#    Copyright (C) 2004-2009 Tiny SPRL (<http://tiny.be>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.     
+#
+##############################################################################
 __name__ = "Change signs of old holiday requests"

 def migrate(cr, version):
--- a/addons/hr_holidays/migrations/1.5/post-01-convert-limits-into-requests.py
+++ b/addons/hr_holidays/migrations/1.5/post-01-convert-limits-into-requests.py
@ -1,3 +1,23 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#    
+#    OpenERP, Open Source Management Solution
+#    Copyright (C) 2004-2009 Tiny SPRL (<http://tiny.be>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.     
+#
+##############################################################################
 __name__ = "Convert the Holidays Per User limits into positive leave request"

 def migrate(cr, version):
--- a/addons/l10n_ch/account_move_line.py
+++ b/addons/l10n_ch/account_move_line.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 #  account_move_line.py
 #  l10n_ch
--- a/addons/l10n_ch/bank.py
+++ b/addons/l10n_ch/bank.py
@ -1,4 +1,4 @@
-#
+# -*- coding: utf-8 -*-
 #  bank.py
 #  l10n_ch
 #
--- a/addons/l10n_ch/report/tiny_sxw2rml.py
+++ b/addons/l10n_ch/report/tiny_sxw2rml.py
@ -1,6 +1,3 @@
-
-
-#!/usr/bin/python
 #coding: latin-1

 ##############################################################################
@ -32,7 +29,7 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 #
 ##############################################################################
-
+#!/usr/bin/python
 """
 Tiny SXW2RML - The Tiny ERP's report engine

--- a/addons/l10n_ch_chart_c2c_pcg/init.py
+++ b/addons/l10n_ch_chart_c2c_pcg/init.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 #  __init__.py
 #
--- a/addons/l10n_ch_chart_c2c_pcg/wizard/init.py
+++ b/addons/l10n_ch_chart_c2c_pcg/wizard/init.py
@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 #  config.py
 #
--- a/addons/sale/unit_test/test.py
+++ b/addons/sale/unit_test/test.py
@ -1,3 +1,24 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    OpenERP, Open Source Management Solution
+#    Copyright (C) 2004-2009 Tiny SPRL (<http://tiny.be>). All Rights Reserved
+#    $Id$
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
 import unittest
 import pooler
 import netsvc