← Back to team overview

openerp-india team mailing list archive

[Bug 1100907] Re: Missing protection against '%' in user data

 

** Description changed:

  On latest 7.0 branch :
  
  - create an empty database
  - install the 'sale' app
  - enable user CSV import in the settings
  - enable pricelists in the sale config
  - Create a file pricelist.csv containing :
  
  "active",".id","currency_id","id","name","visible_discount","company_id","type","version_id"
  "True","6","EUR (€)","list3","Public Pricelist -3%","True","","sale","Public Pricelist Version -3%"
  
  - Select this file in the import wizard of the pricelist list view.
  - click on Validate
  
  => traceback
    File "/home/dadafkas/projets/anybox/buildout.7.0/parts/openobject-server/7.0/openerp/osv/orm.py", line 1483, in _log
      message=unicode(exception.args[0]) % base)
  ValueError: unsupported format character ''' (0x27) at index 67
  
  The problem comes from the '%' in the user data, being interpreted by
  the % formatting. The bug is located in several places in the code, I
  could only find a few of them:
  
- openobject-server/openerp/osv/orm.py:1482
+ openobject-server/openerp/addons/base/ir/ir_fields.py:174
+ openobject-server/openerp/addons/base/ir/ir_fields.py:182
+ openobject-server/openerp/addons/base/ir/ir_fields.py:195
+ openobject-server/openerp/addons/base/ir/ir_fields.py:226
+ openobject-server/openerp/addons/base/ir/ir_fields.py:265
+ openobject-server/openerp/addons/base/ir/ir_fields.py:313
  openobject-server/openerp/addons/base/ir/ir_fields.py:342
  
  The quickfix is to *.replace('%', '%%')

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1100907

Title:
  Missing protection against '%' in user data

Status in OpenERP Server:
  New

Bug description:
  On latest 7.0 branch :

  - create an empty database
  - install the 'sale' app
  - enable user CSV import in the settings
  - enable pricelists in the sale config
  - Create a file pricelist.csv containing :

  "active",".id","currency_id","id","name","visible_discount","company_id","type","version_id"
  "True","6","EUR (€)","list3","Public Pricelist -3%","True","","sale","Public Pricelist Version -3%"

  - Select this file in the import wizard of the pricelist list view.
  - click on Validate

  => traceback
    File "/home/dadafkas/projets/anybox/buildout.7.0/parts/openobject-server/7.0/openerp/osv/orm.py", line 1483, in _log
      message=unicode(exception.args[0]) % base)
  ValueError: unsupported format character ''' (0x27) at index 67

  The problem comes from the '%' in the user data, being interpreted by
  the % formatting. The bug is located in several places in the code, I
  could only find a few of them:

  openobject-server/openerp/addons/base/ir/ir_fields.py:174
  openobject-server/openerp/addons/base/ir/ir_fields.py:182
  openobject-server/openerp/addons/base/ir/ir_fields.py:195
  openobject-server/openerp/addons/base/ir/ir_fields.py:226
  openobject-server/openerp/addons/base/ir/ir_fields.py:265
  openobject-server/openerp/addons/base/ir/ir_fields.py:313
  openobject-server/openerp/addons/base/ir/ir_fields.py:342

  The quickfix is to *.replace('%', '%%')

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1100907/+subscriptions


References