← Back to team overview

savoirfairelinux-openerp team mailing list archive

  1. savoirfairelinux-openerp team
  2. Mailing list archive
  3. Message #01338

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

  Thread PreviousDate PreviousThread Next 
Review: Needs Fixing

l.469,502: Queries are still not fully sanitized, any quotes or percent sizes in the input will result in unexpected behaviour. This is a security risk and a major bug potential.
I highly recommend you to add a function to sanitize input in the cmis module for queries and follow the documentation from http://wiki.alfresco.com/wiki/CMIS_Query_Language#Literals

Basic escaping:

    \\ represents \
    \' represents '

In addition to basic escaping, in LIKE expressions

    \% represents %
    \_ represents _

-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team Savoir-faire Linux' OpenERP is subscribed to branch lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read.

References

  Thread PreviousDate PreviousThread Next