Browse Source

[SEC] auth_generate_password, fetchmail_attach_from_folder: fix unsafe eval

7.0
Alexandre Fayolle 9 years ago
committed by Holger Brunn
parent
commit
33a8e512dd
  1. 2
      auth_generate_password/__openerp__.py
  2. 5
      auth_generate_password/model/res_users.py
  3. 2
      fetchmail_attach_from_folder/__openerp__.py
  4. 16
      fetchmail_attach_from_folder/model/fetchmail_server.py

2
auth_generate_password/__openerp__.py

@ -22,7 +22,7 @@
{ {
'name': 'Authentification - Generate Password', 'name': 'Authentification - Generate Password',
'version': '1.0',
'version': '7.0.1.0.1',
'category': 'Tools', 'category': 'Tools',
'description': """ 'description': """
Password Secure Password Secure

5
auth_generate_password/model/res_users.py

@ -27,6 +27,7 @@ import random
from openerp.osv.orm import Model, except_orm from openerp.osv.orm import Model, except_orm
from openerp.tools.translate import _ from openerp.tools.translate import _
from openerp.tools.safe_eval import safe_eval
class res_users(Model): class res_users(Model):
@ -44,9 +45,9 @@ class res_users(Model):
cr, uid, 'auth_generate_password.password_size')) cr, uid, 'auth_generate_password.password_size'))
except: except:
raise except_orm(_("error"), _("Only digit chars authorized")) raise except_orm(_("error"), _("Only digit chars authorized"))
password_size = eval(icp_obj.get_param(
password_size = safe_eval(icp_obj.get_param(
cr, uid, 'auth_generate_password.password_size')) cr, uid, 'auth_generate_password.password_size'))
password_chars = eval(icp_obj.get_param(
password_chars = safe_eval(icp_obj.get_param(
cr, uid, 'auth_generate_password.password_chars')) cr, uid, 'auth_generate_password.password_chars'))
et = imd_obj.get_object( et = imd_obj.get_object(
cr, uid, 'auth_generate_password', 'generate_password_template') cr, uid, 'auth_generate_password', 'generate_password_template')

2
fetchmail_attach_from_folder/__openerp__.py

@ -22,7 +22,7 @@
{ {
'name': 'Attach mails in an IMAP folder to existing objects', 'name': 'Attach mails in an IMAP folder to existing objects',
'version': '1.0',
'version': '7.0.1.0.1',
'description': """ 'description': """
Adds the possibility to attach emails from a certain IMAP folder to objects, Adds the possibility to attach emails from a certain IMAP folder to objects,
ie partners. Matching is done via several algorithms, ie email address. ie partners. Matching is done via several algorithms, ie email address.

16
fetchmail_attach_from_folder/model/fetchmail_server.py

@ -25,6 +25,7 @@ import simplejson
from lxml import etree from lxml import etree
from openerp.osv.orm import Model, except_orm from openerp.osv.orm import Model, except_orm
from openerp.tools.translate import _ from openerp.tools.translate import _
from openerp.tools.safe_eval import safe_eval
from openerp.osv import fields from openerp.osv import fields
from openerp.addons.fetchmail.fetchmail import _logger as logger from openerp.addons.fetchmail.fetchmail import _logger as logger
from openerp.tools.misc import UnquoteEvalContext from openerp.tools.misc import UnquoteEvalContext
@ -267,11 +268,18 @@ class fetchmail_server(Model):
for field in view: for field in view:
if field.tag == 'field' and field.get('name') in modifiers: if field.tag == 'field' and field.get('name') in modifiers:
field.set('modifiers', simplejson.dumps(
field.set(
'modifiers',
simplejson.dumps(
dict( dict(
eval(field.attrib['modifiers'],
UnquoteEvalContext({})),
**modifiers[field.attrib['name']])))
safe_eval(
field.attrib['modifiers'],
UnquoteEvalContext({})
),
**modifiers[field.attrib['name']]
)
),
)
if (field.tag == 'field' and if (field.tag == 'field' and
field.get('name') == 'match_algorithm'): field.get('name') == 'match_algorithm'):
field.set('help', docstr) field.set('help', docstr)

Loading…
Cancel
Save