openerp-community-reviewer team mailing list archive

Thread
Date

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

To: "El Hadji Dem \(http://www.savoirfairelinux.com\)" <elhadji.dem@xxxxxxxxxxxxxxxxxxxx>
From: "Sandy Carter \(http://www.savoirfairelinux.com\)" <sandy.carter@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 14 May 2014 14:40:16 -0000
In-reply-to: <20140321224421.27940.86732.launchpad@ackee.canonical.com>
Reply-to: mp+212260@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Fixing

l.469,502: Queries are still not fully sanitized, any quotes or percent sizes in the input will result in unexpected behaviour. This is a security risk and a major bug potential.
I highly recommend you to add a function to sanitize input in the cmis module for queries and follow the documentation from http://wiki.alfresco.com/wiki/CMIS_Query_Language#Literals

Basic escaping:

    \\ represents \
    \' represents '

In addition to basic escaping, in LIKE expressions

    \% represents %
    \_ represents _

-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team OpenERP Community Reviewer/Maintainer is subscribed to branch lp:knowledge-addons/7.0.

References

[Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0
From: El Hadji Dem (http://www.savoirfairelinux.com), 2014-03-21