There's a FIXME asking for some generated SQL that uses string interpolation to be investigated.
I investigated. It's safe - it only interpolates table/column names, not user-controlled data. Replace the FIXME with an explanatory statement. Signed-off-by: Daniel Axtens <d...@axtens.net> --- patchwork/views/user.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/patchwork/views/user.py b/patchwork/views/user.py index 79c615aa2da0..2a2d704679e0 100644 --- a/patchwork/views/user.py +++ b/patchwork/views/user.py @@ -117,7 +117,11 @@ def profile(request): 'profileform': form, } - # FIXME(stephenfin): This looks unsafe. Investigate. + # This looks unsafe but is actually fine: it just gets the names + # of tables and columns, not user-supplied data. + # + # An example of generated SQL is: + # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout) optout_query = '%s.%s IN (SELECT %s FROM %s)' % ( Person._meta.db_table, Person._meta.get_field('email').column, -- 2.14.1 _______________________________________________ Patchwork mailing list Patchwork@lists.ozlabs.org https://lists.ozlabs.org/listinfo/patchwork