NeoAnd/knowledge
1
0
Fork 0
mirror of https://github.com/OCA/knowledge.git synced 2025-07-16 12:12:57 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

[IMP] Add constraint for avoidind SQL Injection

Browse Source
This commit is contained in:
EL HADJI DEM 2014-05-15 16:37:16 -04:00 committed by Sandy Carter
parent 37f63bbdaf
commit 5d83f783c2
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmis_read/wizard/document_wizard.py
View File

@ -120,7 +120,10 @@ def search_doc_from_dms(session, model_name, backend_id, file_name):
ir_attach_dms_obj.unlink(session.cr, session.uid,
attachment_ids, context=session.context)
# Escape the name for characters not supported in filenames
file_name = file_name.replace('/', '_')
# for avoiding SQL Injection
file_name = file_name.replace("'", "\\'")
file_name = file_name.replace("%", "\%")
file_name = file_name.replace("_", "\_")
# Get results from name of document
results = repo.query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
"cmis:contentStreamLength FROM cmis:document "
@ -166,8 +169,7 @@ def create_doc_from_dms(session, model_name, backend_id, data, name,
'res_id': res_id,
'user_id': uid,
}
# Don't create doc again in DMS
session.context['bool_testdoc'] = True
session.context['bool_read_doc'] = True
ir_attach_obj.create(session.cr, session.uid,
data_attach, context=session.context)
return True