There's a FIXME asking for some generated SQL that uses string
interpolation to be investigated.
I investigated.
It's safe - it only interpolates table/column names, not
user-controlled data.
Replace the FIXME with an explanatory statement.
Signed-off-by: Daniel Axtens <d...@axtens.net>
---
patchwork/views/user.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/patchwork/views/user.py b/patchwork/views/user.py
index 79c615aa2da0..2a2d704679e0 100644
--- a/patchwork/views/user.py
+++ b/patchwork/views/user.py
@@ -117,7 +117,11 @@ def profile(request):
'profileform': form,
}
- # FIXME(stephenfin): This looks unsafe. Investigate.
+ # This looks unsafe but is actually fine: it just gets the names
+ # of tables and columns, not user-supplied data.
+ #
+ # An example of generated SQL is:
+ # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout)
optout_query = '%s.%s IN (SELECT %s FROM %s)' % (
Person._meta.db_table,
Person._meta.get_field('email').column,
--
2.14.1
_______________________________________________
Patchwork mailing list
Patchwork@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/patchwork
