From 5d83f783c29d7f36e8e65a386dad3a7d6e1cd82c Mon Sep 17 00:00:00 2001
From: EL HADJI DEM <elhadji.dem@savoirfairelinux.com>
Date: Thu, 15 May 2014 16:37:16 -0400
Subject: [PATCH] [IMP] Add constraint for avoidind SQL Injection

---
 cmis_read/wizard/document_wizard.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/cmis_read/wizard/document_wizard.py b/cmis_read/wizard/document_wizard.py
index 249c86c3..d4e331b8 100644
--- a/cmis_read/wizard/document_wizard.py
+++ b/cmis_read/wizard/document_wizard.py
@@ -120,7 +120,10 @@ def search_doc_from_dms(session, model_name, backend_id, file_name):
     ir_attach_dms_obj.unlink(session.cr, session.uid,
                              attachment_ids, context=session.context)
     # Escape the name for characters not supported in filenames
-    file_name = file_name.replace('/', '_')
+    # for avoiding SQL Injection
+    file_name = file_name.replace("'", "\\'")
+    file_name = file_name.replace("%", "\%")
+    file_name = file_name.replace("_", "\_")
     # Get results from name of document
     results = repo.query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
                          "cmis:contentStreamLength FROM  cmis:document "
@@ -166,8 +169,7 @@ def create_doc_from_dms(session, model_name, backend_id, data, name,
                 'res_id': res_id,
                 'user_id': uid,
             }
-            # Don't create doc again in DMS
-            session.context['bool_testdoc'] = True
+            session.context['bool_read_doc'] = True
             ir_attach_obj.create(session.cr, session.uid,
                                  data_attach, context=session.context)
     return True