savoirfairelinux-openerp team mailing list archive

Thread
Date

Re: [Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0

To: "El Hadji Dem \(http://www.savoirfairelinux.com\)" <elhadji.dem@xxxxxxxxxxxxxxxxxxxx>
From: "Sandy Carter \(http://www.savoirfairelinux.com\)" <sandy.carter@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 20 May 2014 15:18:07 -0000
In-reply-to: <20140321224421.27940.86732.launchpad@ackee.canonical.com>
Reply-to: mp+212260@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Fixing

For better usability and security, your sanitize function should wrap the query function, the same way OE does, so that there is no way to call the query the wrong way.

Something along the lines of

safe_query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
           "cmis:contentStreamLength FROM  cmis:document "
           "WHERE cmis:name LIKE '%%%s%%'", filename)

def safe_query(query, *args):
    args = map(sanitize_input, args)
    return repo.query(query % args)

Make sure to make the these functions general purpose, not specific to this particular instance as it seems now (function name sanitize_input_filename_field sounds specific to filename, when it can be used on any query).

Finally, _make sure to put these functions in your topmost dependency (cmis) so any depending module can use it reliably.
-- 
https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260
Your team Savoir-faire Linux' OpenERP is subscribed to branch lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read.

References

[Merge] lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp:knowledge-addons/7.0
From: El Hadji Dem (http://www.savoirfairelinux.com), 2014-03-21