Review: Needs Fixing l.471 Still severe bug and injection potential
Try: filename = "sql%' OR '1' = '1' OR '%injection" CMIS must provide a code escape function, otherwise use OpenERP's. It is important that you don't do this manually. https://en.wikipedia.org/wiki/Sql_injection There are also no unittests. The previous example would be a good thing to test. -- https://code.launchpad.net/~savoirfairelinux-openerp/knowledge-addons/cmis_read/+merge/212260 Your team Savoir-faire Linux' OpenERP is subscribed to branch lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read. -- Mailing list: https://launchpad.net/~savoirfairelinux-openerp Post to : [email protected] Unsubscribe : https://launchpad.net/~savoirfairelinux-openerp More help : https://help.launchpad.net/ListHelp
