← Back to team overview

openerp-community-reviewer team mailing list archive

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

 

Review: Needs Fixing

For better usability and security, your sanitize function should wrap the query function, the same way OE does, so that there is no way to call the query the wrong way.

Something along the lines of

safe_query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
           "cmis:contentStreamLength FROM  cmis:document "
           "WHERE cmis:name LIKE '%%%s%%'", filename)

def safe_query(query, *args):
    args = map(sanitize_input, args)
    return repo.query(query % args)

Make sure to make the these functions general purpose, not specific to this particular instance as it seems now (function name sanitize_input_filename_field sounds specific to filename, when it can be used on any query).

Finally, _make sure to put these functions in your topmost dependency (cmis) so any depending module can use it reliably.
-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team OpenERP Community Reviewer/Maintainer is subscribed to branch lp:knowledge-addons/7.0.


References