Browse Source

[SEC] fetchmail_attach_from_folder: fix unsafe eval

pull/361/head
Alexandre Fayolle 9 years ago
parent
commit
1137d43cf1
  1. 2
      fetchmail_attach_from_folder/__openerp__.py
  2. 3
      fetchmail_attach_from_folder/model/fetchmail_server.py

2
fetchmail_attach_from_folder/__openerp__.py

@ -23,7 +23,7 @@
{ {
'name': 'Email gateway - folders', 'name': 'Email gateway - folders',
'summary': 'Attach mails in an IMAP folder to existing objects', 'summary': 'Attach mails in an IMAP folder to existing objects',
'version': '8.0.1.0.0',
'version': '8.0.1.0.1',
'author': "Therp BV,Odoo Community Association (OCA)", 'author': "Therp BV,Odoo Community Association (OCA)",
'website': 'http://www.therp.nl', 'website': 'http://www.therp.nl',
'license': 'AGPL-3', 'license': 'AGPL-3',

3
fetchmail_attach_from_folder/model/fetchmail_server.py

@ -25,6 +25,7 @@ import simplejson
from lxml import etree from lxml import etree
from openerp import models, fields, api, exceptions from openerp import models, fields, api, exceptions
from openerp.tools.translate import _ from openerp.tools.translate import _
from openerp.tools.safe_eval import safe_eval
from openerp.tools.misc import UnquoteEvalContext from openerp.tools.misc import UnquoteEvalContext
_logger = logging.getLogger(__name__) _logger = logging.getLogger(__name__)
@ -253,7 +254,7 @@ class fetchmail_server(models.Model):
if field.tag == 'field' and field.get('name') in modifiers: if field.tag == 'field' and field.get('name') in modifiers:
field.set('modifiers', simplejson.dumps( field.set('modifiers', simplejson.dumps(
dict( dict(
eval(field.attrib['modifiers'],
safe_eval(field.attrib['modifiers'],
UnquoteEvalContext({})), UnquoteEvalContext({})),
**modifiers[field.attrib['name']]))) **modifiers[field.attrib['name']])))
if (field.tag == 'field' and if (field.tag == 'field' and

Loading…
Cancel
Save