[SEC] auth_generate_password, fetchmail_attach_from_folder: fix unsafe eval

8 years ago · 33a8e512dd
4 changed files with 18 additions and 9 deletions
--- a/auth_generate_password/openerp.py
+++ b/auth_generate_password/openerp.py
@ -22,7 +22,7 @@

 {
    'name': 'Authentification - Generate Password',
-    'version': '1.0',
+    'version': '7.0.1.0.1',
    'category': 'Tools',
    'description': """
 Password Secure
--- a/auth_generate_password/model/res_users.py
+++ b/auth_generate_password/model/res_users.py
@ -27,6 +27,7 @@ import random

 from openerp.osv.orm import Model, except_orm
 from openerp.tools.translate import _
+from openerp.tools.safe_eval import safe_eval


 class res_users(Model):
@ -44,9 +45,9 @@ class res_users(Model):
                cr, uid, 'auth_generate_password.password_size'))
        except:
            raise except_orm(_("error"), _("Only digit chars authorized"))
-        password_size = eval(icp_obj.get_param(
+        password_size = safe_eval(icp_obj.get_param(
            cr, uid, 'auth_generate_password.password_size'))
-        password_chars = eval(icp_obj.get_param(
+        password_chars = safe_eval(icp_obj.get_param(
            cr, uid, 'auth_generate_password.password_chars'))
        et = imd_obj.get_object(
            cr, uid, 'auth_generate_password', 'generate_password_template')
--- a/fetchmail_attach_from_folder/openerp.py
+++ b/fetchmail_attach_from_folder/openerp.py
@ -22,7 +22,7 @@

 {
    'name': 'Attach mails in an IMAP folder to existing objects',
-    'version': '1.0',
+    'version': '7.0.1.0.1',
    'description': """
 Adds the possibility to attach emails from a certain IMAP folder to objects,
 ie partners. Matching is done via several algorithms, ie email address.
--- a/fetchmail_attach_from_folder/model/fetchmail_server.py
+++ b/fetchmail_attach_from_folder/model/fetchmail_server.py
@ -25,6 +25,7 @@ import simplejson
 from lxml import etree
 from openerp.osv.orm import Model, except_orm
 from openerp.tools.translate import _
+from openerp.tools.safe_eval import safe_eval
 from openerp.osv import fields
 from openerp.addons.fetchmail.fetchmail import _logger as logger
 from openerp.tools.misc import UnquoteEvalContext
@ -267,11 +268,18 @@ class fetchmail_server(Model):

            for field in view:
                if field.tag == 'field' and field.get('name') in modifiers:
-                    field.set('modifiers', simplejson.dumps(
-                        dict(
-                            eval(field.attrib['modifiers'],
-                                 UnquoteEvalContext({})),
-                            **modifiers[field.attrib['name']])))
+                    field.set(
+                        'modifiers',
+                        simplejson.dumps(
+                            dict(
+                                safe_eval(
+                                    field.attrib['modifiers'],
+                                    UnquoteEvalContext({})
+                                ),
+                                **modifiers[field.attrib['name']]
+                            )
+                        ),
+                    )
                if (field.tag == 'field' and
                        field.get('name') == 'match_algorithm'):
                    field.set('help', docstr)