Merge pull request #44 from gurneyalex/9.0-unsafe-eval

[SEC] report_xls: fix unsafe eval
8 years ago · 1fa32b234f
2 changed files with 3 additions and 2 deletions
--- a/report_xls/openerp.py
+++ b/report_xls/openerp.py
@ -21,7 +21,7 @@
 ##############################################################################
 {
    'name': 'Excel report engine',
-    'version': '8.0.0.6.0',
+    'version': '8.0.0.6.1',
    'license': 'AGPL-3',
    'author': "Noviat,Odoo Community Association (OCA)",
    'website': 'http://www.noviat.com',
--- a/report_xls/report_xls.py
+++ b/report_xls/report_xls.py
@ -26,6 +26,7 @@ import cStringIO
 from datetime import datetime
 from openerp.osv.fields import datetime as datetime_field
 from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT
+from openerp.tools.safe_eval import safe_eval
 import inspect
 from types import CodeType
 from openerp.report.report_sxw import report_sxw
@ -160,7 +161,7 @@ class report_xls(report_sxw):
        row = col_specs[wanted][rowtype][:]
        for i in range(len(row)):
            if isinstance(row[i], CodeType):
-                row[i] = eval(row[i], render_space)
+                row[i] = safe_eval(row[i], render_space)
        row.insert(0, wanted)
        return row