← Back to team overview

openerp-community-reviewer team mailing list archive

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

 

Review: Needs Fixing

l.469,502: Queries are still not fully sanitized, any quotes or percent sizes in the input will result in unexpected behaviour. This is a security risk and a major bug potential.
I highly recommend you to add a function to sanitize input in the cmis module for queries and follow the documentation from http://wiki.alfresco.com/wiki/CMIS_Query_Language#Literals

Basic escaping:

    \\ represents \
    \' represents '

In addition to basic escaping, in LIKE expressions

    \% represents %
    \_ represents _

-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team OpenERP Community Reviewer/Maintainer is subscribed to branch lp:knowledge-addons/7.0.


References