openerp-community-reviewer team mailing list archive

Thread
Date

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

To: "El Hadji Dem \(http://www.savoirfairelinux.com\)" <elhadji.dem@xxxxxxxxxxxxxxxxxxxx>
From: "Sandy Carter \(http://www.savoirfairelinux.com\)" <sandy.carter@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 May 2014 15:09:14 -0000
In-reply-to: <20140321224421.27940.86732.launchpad@ackee.canonical.com>
Reply-to: mp+212260@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Fixing

l.471 Still severe bug and injection potential

Try:
filename = "sql%' OR '1' = '1' OR '%injection"

CMIS must provide a code escape function, otherwise use OpenERP's. It is important that you don't do this manually.

https://en.wikipedia.org/wiki/Sql_injection

There are also no unittests. The previous example would be a good thing to test.
-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team OpenERP Community Reviewer/Maintainer is subscribed to branch lp:knowledge-addons/7.0.

References

[Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0
From: El Hadji Dem (http://www.savoirfairelinux.com), 2014-03-21