From 32b4e8c63567090f8a2ab1d97e44238d69f0823b Mon Sep 17 00:00:00 2001 From: Alexandre Fayolle Date: Mon, 15 Feb 2016 10:15:10 +0100 Subject: [PATCH] [SEC] report_xls: fix unsafe eval --- report_xls/__openerp__.py | 2 +- report_xls/report_xls.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/report_xls/__openerp__.py b/report_xls/__openerp__.py index 4148c032..cddc757e 100644 --- a/report_xls/__openerp__.py +++ b/report_xls/__openerp__.py @@ -21,7 +21,7 @@ ############################################################################## { 'name': 'Excel report engine', - 'version': '8.0.0.6.0', + 'version': '8.0.0.6.1', 'license': 'AGPL-3', 'author': "Noviat,Odoo Community Association (OCA)", 'website': 'http://www.noviat.com', diff --git a/report_xls/report_xls.py b/report_xls/report_xls.py index 4746b4b9..c45e289f 100644 --- a/report_xls/report_xls.py +++ b/report_xls/report_xls.py @@ -26,6 +26,7 @@ import cStringIO from datetime import datetime from openerp.osv.fields import datetime as datetime_field from openerp.tools import DEFAULT_SERVER_DATETIME_FORMAT +from openerp.tools.safe_eval import safe_eval import inspect from types import CodeType from openerp.report.report_sxw import report_sxw @@ -160,7 +161,7 @@ class report_xls(report_sxw): row = col_specs[wanted][rowtype][:] for i in range(len(row)): if isinstance(row[i], CodeType): - row[i] = eval(row[i], render_space) + row[i] = safe_eval(row[i], render_space) row.insert(0, wanted) return row