From 1137d43cf199dec38939cf2ecd7f83e9c728f547 Mon Sep 17 00:00:00 2001 From: Alexandre Fayolle Date: Mon, 15 Feb 2016 10:22:02 +0100 Subject: [PATCH] [SEC] fetchmail_attach_from_folder: fix unsafe eval --- fetchmail_attach_from_folder/__openerp__.py | 2 +- fetchmail_attach_from_folder/model/fetchmail_server.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fetchmail_attach_from_folder/__openerp__.py b/fetchmail_attach_from_folder/__openerp__.py index af1c82abf..d1fc175eb 100644 --- a/fetchmail_attach_from_folder/__openerp__.py +++ b/fetchmail_attach_from_folder/__openerp__.py @@ -23,7 +23,7 @@ { 'name': 'Email gateway - folders', 'summary': 'Attach mails in an IMAP folder to existing objects', - 'version': '8.0.1.0.0', + 'version': '8.0.1.0.1', 'author': "Therp BV,Odoo Community Association (OCA)", 'website': 'http://www.therp.nl', 'license': 'AGPL-3', diff --git a/fetchmail_attach_from_folder/model/fetchmail_server.py b/fetchmail_attach_from_folder/model/fetchmail_server.py index fc6c709f3..c00c0d200 100644 --- a/fetchmail_attach_from_folder/model/fetchmail_server.py +++ b/fetchmail_attach_from_folder/model/fetchmail_server.py @@ -25,6 +25,7 @@ import simplejson from lxml import etree from openerp import models, fields, api, exceptions from openerp.tools.translate import _ +from openerp.tools.safe_eval import safe_eval from openerp.tools.misc import UnquoteEvalContext _logger = logging.getLogger(__name__) @@ -253,7 +254,7 @@ class fetchmail_server(models.Model): if field.tag == 'field' and field.get('name') in modifiers: field.set('modifiers', simplejson.dumps( dict( - eval(field.attrib['modifiers'], + safe_eval(field.attrib['modifiers'], UnquoteEvalContext({})), **modifiers[field.attrib['name']]))) if (field.tag == 'field' and