Code review comment for lp://qastaging/~savoirfairelinux-openerp/knowledge-addons/cmis_read
Revision history for this message
| Sandy Carter (http://www.savoirfairelinux.com) (sandy-carter) wrote | # |
review:
Needs Fixing
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f399f05
demo site
(Get the code!)
l.471 Still severe bug and injection potential
Try:
filename = "sql%' OR '1' = '1' OR '%injection"
CMIS must provide a code escape function, otherwise use OpenERP's. It is important that you don't do this manually.
https:/
There are also no unittests. The previous example would be a good thing to test.