← Back to team overview

openerp-india team mailing list archive

[Bug 1024532] Re: insufficient validation of orm fields thru xmlrpc

 

Another example is sending a read command without the field names
parameter. Note the response below.

<methodResponse> 
	<fault> 
		<value>
			<struct> 
				<member> 
					<name>faultCode</name> 
					<value>
						<string>syntax error at or near ")"
							LINE 5:                       AND l.partner_id IN () ^</string>
					</value> 
				</member> 
				<member> 
					<name>faultString</name> 
					<value>
						<string>Traceback (most recent call last):
							File "/usr/lib/pymodules/python2.7/openerp/wsgi/core.py", line 79, in xmlrpc_return result = openerp.netsvc.dispatch_rpc(service, method, params)
							File "/usr/lib/pymodules/python2.7/openerp/netsvc.py", line 360, in dispatch_rpc result = ExportService.getService(service_name).dispatch(method, params)
							File "/usr/lib/pymodules/python2.7/openerp/service/web_services.py", line 572, in dispatch res = fn(db, uid, *params)
							File "/usr/lib/pymodules/python2.7/openerp/osv/osv.py", line 121, in wrapper return f(self, dbname, *args, **kwargs)
							File "/usr/lib/pymodules/python2.7/openerp/osv/osv.py", line 176, in execute res = self.execute_cr(cr, uid, obj, method, *args, **kw)
							File "/usr/lib/pymodules/python2.7/openerp/osv/osv.py", line 164, in execute_cr return getattr(object, method)(cr, uid, *args, **kw)
							File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 3381, in read result = self._read_flat(cr, user, select, fields, context, load)
							File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 3492, in _read_flat res2 = self._columns[val[0]].get(cr, self, ids, val, user, context=context, values=res) File "/usr/lib/pymodules/python2.7/openerp/osv/fields.py", line 1132, in get
							result = self._fnct(obj, cr, uid, ids, name, self._arg, context) File "/usr/lib/pymodules/python2.7/openerp/addons/account/partner.py", line 110, in _credit_debit_get
							(tuple(ids),)) File "/usr/lib/pymodules/python2.7/openerp/sql_db.py", line 152, in wrapper
							return f(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/openerp/sql_db.py", line 212, in execute
							res = self._obj.execute(query, params) ProgrammingError: syntax error at or near ")"
							LINE 5:                       AND l.partner_id IN () ^</string>
					</value> 
				</member> 
			</struct>
		</value> 
	</fault> 
</methodResponse>


-----------

<methodCall xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions";>
	<methodName>execute</methodName>
	<params>
		<param>
			<value>openerp_debug</value>
		</param>
		<param>
			<value>
				<i4>1</i4>
			</value>
		</param>
		<param>
			<value>admin</value>
		</param>
		<param>
			<value>res.partner</value>
		</param>
		<param>
			<value>read</value>
		</param>
		<param>
			<value>
				<array>
					<data>
						<value>
							<i4>45068</i4>
						</value>
					</data>
				</array>
			</value>
		</param>
	</params>
</methodCall>

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1024532

Title:
  insufficient validation of orm fields thru xmlrpc

Status in OpenERP Server:
  Confirmed

Bug description:
  
  there seems to be insufficient validation of orm fields when executing a create thru xmlrpc to for example create a partner with the wrong data type or invalid fields.

  for example:

  partner_data =
  {'name':True,'whacky':'123oiuwefkajshfdq39r87239487234'}

  - name being a boolean and whacky being a field that is not in the
  model.

  This creates a new partner called 'True'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1024532/+subscriptions


References