OpenERP knowledge addons

Overview
Code
Bugs
Blueprints
Translations
Answers

Code review comment for lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read

cmis_read
Merge into 7.0

Revision history for this message

Sandy Carter (http://www.savoirfairelinux.com) (sandy-carter) wrote on 2014-05-14:

l.469,502: Queries are still not fully sanitized, any quotes or percent sizes in the input will result in unexpected behaviour. This is a security risk and a major bug potential.
I highly recommend you to add a function to sanitize input in the cmis module for queries and follow the documentation from http://wiki.alfresco.com/wiki/CMIS_Query_Language#Literals

Basic escaping:

\\ represents \
\' represents '

In addition to basic escaping, in LIKE expressions

\% represents %
\_ represents _

review: Needs Fixing

« Back to merge proposal