From 5f34a5029974a2875863c6c11cb170b43142ff0c Mon Sep 17 00:00:00 2001
From: EL HADJI DEM <elhadji.dem@savoirfairelinux.com>
Date: Thu, 15 May 2014 16:57:09 -0400
Subject: [PATCH] [IMP] Added a function to sanitize filename

---
 cmis_read/wizard/document_wizard.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/cmis_read/wizard/document_wizard.py b/cmis_read/wizard/document_wizard.py
index d4e331b8..de7a4a40 100644
--- a/cmis_read/wizard/document_wizard.py
+++ b/cmis_read/wizard/document_wizard.py
@@ -106,6 +106,15 @@ class ir_attachment_edm_wizard(orm.Model):
         return {'type': 'ir.actions.act_window_close'}
 
 
+def sanitize_input_filename_field(file_name):
+    # Escape the name for characters not supported in filenames
+    # for avoiding SQL Injection
+    file_name = file_name.replace("'", "\\'")
+    file_name = file_name.replace("%", "\%")
+    file_name = file_name.replace("_", "\_")
+    return file_name
+
+
 def search_doc_from_dms(session, model_name, backend_id, file_name):
     ir_attach_dms_obj = session.pool.get('ir.attachment.dms')
     cmis_backend_obj = session.pool.get('cmis.backend')
@@ -120,10 +129,7 @@ def search_doc_from_dms(session, model_name, backend_id, file_name):
     ir_attach_dms_obj.unlink(session.cr, session.uid,
                              attachment_ids, context=session.context)
     # Escape the name for characters not supported in filenames
-    # for avoiding SQL Injection
-    file_name = file_name.replace("'", "\\'")
-    file_name = file_name.replace("%", "\%")
-    file_name = file_name.replace("_", "\_")
+    file_name = sanitize_input_filename_field(file_name)
     # Get results from name of document
     results = repo.query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
                          "cmis:contentStreamLength FROM  cmis:document "