Code review comment for lp:~savoirfairelinux-openerp/knowledge-addons/cmis_read

Revision history for this message
Sandy Carter (http://www.savoirfairelinux.com) (sandy-carter) wrote :

For better usability and security, your sanitize function should wrap the query function, the same way OE does, so that there is no way to call the query the wrong way.

Something along the lines of

safe_query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
           "cmis:contentStreamLength FROM cmis:document "
           "WHERE cmis:name LIKE '%%%s%%'", filename)

def safe_query(query, *args):
    args = map(sanitize_input, args)
    return repo.query(query % args)

Make sure to make the these functions general purpose, not specific to this particular instance as it seems now (function name sanitize_input_filename_field sounds specific to filename, when it can be used on any query).

Finally, _make sure to put these functions in your topmost dependency (cmis) so any depending module can use it reliably.

review: Needs Fixing

« Back to merge proposal