[fix] injection

2015-11-17 18:27:50 +05:30 · 2015-11-17 18:27:50 +05:30 · da79740cdf
commit da79740cdf
parent 3667da1053
11 changed files with 53 additions and 50 deletions
--- a/erpnext/accounts/doctype/journal_entry/journal_entry.py
+++ b/erpnext/accounts/doctype/journal_entry/journal_entry.py
@ -2,7 +2,7 @@
 # License: GNU General Public License v3. See license.txt

 from __future__ import unicode_literals
-import frappe
+import frappe, json
 from frappe.utils import cstr, flt, fmt_money, formatdate
 from frappe import msgprint, _, scrub
 from erpnext.controllers.accounts_controller import AccountsController
@ -283,7 +283,7 @@ class JournalEntry(AccountsController):
 				frappe.throw(_("Please check Multi Currency option to allow accounts with other currency"))

 		self.set_exchange_rate()
-	
+
 	def set_amounts_in_company_currency(self):
 		for d in self.get("accounts"):
 			d.debit = flt(flt(d.debit_in_account_currency)*flt(d.exchange_rate), d.precision("debit"))
@ -520,14 +520,14 @@ def get_default_bank_cash_account(company, voucher_type, mode_of_payment=None):
 			"account_currency": account_details.account_currency,
 			"account_type": account_details.account_type
 		}
-		
+
@frappe.whitelist()
 def get_payment_entry_against_order(dt, dn):
 	ref_doc = frappe.get_doc(dt, dn)
-	
+
 	if flt(ref_doc.per_billed, 2) > 0:
 		frappe.throw(_("Can only make payment against unbilled {0}").format(dt))
-		
+
 	if dt == "Sales Order":
 		party_type = "Customer"
 		amount_field_party = "credit_in_account_currency"
@ -536,15 +536,15 @@ def get_payment_entry_against_order(dt, dn):
 		party_type = "Supplier"
 		amount_field_party = "debit_in_account_currency"
 		amount_field_bank = "credit_in_account_currency"
-		
+
 	party_account = get_party_account(party_type, ref_doc.get(party_type.lower()), ref_doc.company)
 	party_account_currency = get_account_currency(party_account)
-	
+
 	if party_account_currency == ref_doc.company_currency:
 		amount = flt(ref_doc.base_grand_total) - flt(ref_doc.advance_paid)
 	else:
 		amount = flt(ref_doc.grand_total) - flt(ref_doc.advance_paid)
-		
+
 	return get_payment_entry(ref_doc, {
 		"party_type": party_type,
 		"party_account": party_account,
@ -555,7 +555,7 @@ def get_payment_entry_against_order(dt, dn):
 		"remarks": 'Advance Payment received against {0} {1}'.format(dt, dn),
 		"is_advance": "Yes"
 	})
-	
+
@frappe.whitelist()
 def get_payment_entry_against_invoice(dt, dn):
 	ref_doc = frappe.get_doc(dt, dn)
@ -569,7 +569,7 @@ def get_payment_entry_against_invoice(dt, dn):
 		party_account = ref_doc.credit_to
 		amount_field_party = "debit_in_account_currency"
 		amount_field_bank = "credit_in_account_currency"
-		
+
 	return get_payment_entry(ref_doc, {
 		"party_type": party_type,
 		"party_account": party_account,
@ -580,10 +580,10 @@ def get_payment_entry_against_invoice(dt, dn):
 		"remarks": 'Payment received against {0} {1}. {2}'.format(dt, dn, ref_doc.remarks),
 		"is_advance": "No"
 	})
-	
+
 def get_payment_entry(ref_doc, args):
 	cost_center = frappe.db.get_value("Company", ref_doc.company, "cost_center")
-	exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"), 
+	exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"),
 		ref_doc.company, ref_doc.doctype, ref_doc.name)

 	jv = frappe.new_doc("Journal Entry")
@ -592,7 +592,7 @@ def get_payment_entry(ref_doc, args):
 		"company": ref_doc.company,
 		"remark": args.get("remarks")
 	})
-	
+
 	party_row = jv.append("accounts", {
 		"account": args.get("party_account"),
 		"party_type": args.get("party_type"),
@ -614,11 +614,11 @@ def get_payment_entry(ref_doc, args):
 	bank_account = get_default_bank_cash_account(ref_doc.company, "Bank Entry")
 	if bank_account:
 		bank_row.update(bank_account)
-		bank_row.exchange_rate = get_exchange_rate(bank_account["account"], 
+		bank_row.exchange_rate = get_exchange_rate(bank_account["account"],
 			bank_account["account_currency"], ref_doc.company)
-			
+
 	bank_row.cost_center = cost_center
-	
+
 	if bank_row.account_currency == args.get("party_account_currency"):
 		bank_row.set(args.get("amount_field_bank"), args.get("amount"))
 	else:
@ -630,7 +630,7 @@ def get_payment_entry(ref_doc, args):
 			jv.multi_currency = 1

 	jv.set_amounts_in_company_currency()
-	
+
 	return jv.as_dict()

@frappe.whitelist()
@ -647,14 +647,17 @@ def get_against_jv(doctype, txt, searchfield, start, page_len, filters):
 		from `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail
 		where jv_detail.parent = jv.name and jv_detail.account = %s and ifnull(jv_detail.party, '') = %s
 		and ifnull(jv_detail.reference_type, '') = ''
-		and jv.docstatus = 1 and jv.{0} like %s order by jv.name desc limit %s, %s""".format(searchfield),
+		and jv.docstatus = 1 and jv.`{0}` like %s order by jv.name desc limit %s, %s""".format(frappe.db.escape(searchfield)),
 		(filters.get("account"), cstr(filters.get("party")), "%{0}%".format(txt), start, page_len))

@frappe.whitelist()
 def get_outstanding(args):
 	if not frappe.has_permission("Account"):
 		frappe.msgprint(_("No Permission"), raise_exception=1)
-	args = eval(args)
+
+	if isinstance(args, basestring):
+		args = json.loads(args)
+
 	company_currency = get_company_currency(args.get("company"))

 	if args.get("doctype") == "Journal Entry":
--- a/erpnext/accounts/doctype/payment_tool/payment_tool.py
+++ b/erpnext/accounts/doctype/payment_tool/payment_tool.py
@ -125,6 +125,6 @@ def get_against_voucher_amount(against_voucher_type, against_voucher_no, party_a
 		select_cond = "{0} as total_amount".format(ref_field)

 	details = frappe.db.sql("""select {0} from `tab{1}` where name = %s"""
-		.format(select_cond, against_voucher_type), against_voucher_no, as_dict=1)
+		.format(select_cond, frappe.db.escape(against_voucher_type)), against_voucher_no, as_dict=1)

 	return details[0] if details else {}
--- a/erpnext/accounts/doctype/pricing_rule/pricing_rule.py
+++ b/erpnext/accounts/doctype/pricing_rule/pricing_rule.py
@ -179,7 +179,7 @@ def get_pricing_rules(args):
 			if parent_groups:
 				if allow_blank: parent_groups.append('')
 				condition = " ifnull("+field+", '') in ('" + \
-					"', '".join([d.replace("'", "\\'").replace('"', '\\"').replace("%", "%%") for d in parent_groups])+"')"
+					"', '".join([frappe.db.escape(d) for d in parent_groups])+"')"
 		return condition


--- a/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
+++ b/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
@ -106,7 +106,7 @@ class PurchaseInvoice(BuyingController):
 	def check_for_stopped_or_closed_status(self):
 		check_list = []
 		pc_obj = frappe.get_doc('Purchase Common')
-		
+
 		for d in self.get('items'):
 			if d.purchase_order and not d.purchase_order in check_list and not d.purchase_receipt:
 				check_list.append(d.purchase_order)
@ -395,7 +395,7 @@ class PurchaseInvoice(BuyingController):

 	def on_cancel(self):
 		self.check_for_stopped_or_closed_status()
-		
+
 		if not self.is_return:
 			from erpnext.accounts.utils import remove_against_link_from_jv
 			remove_against_link_from_jv(self.doctype, self.name)
@ -438,10 +438,10 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
 					or tabAccount.account_type in ("Expense Account", "Fixed Asset", "Temporary"))
 				and tabAccount.is_group=0
 				and tabAccount.docstatus!=2
-				and tabAccount.company = '%(company)s'
-				and tabAccount.%(key)s LIKE '%(txt)s'
-				%(mcond)s""" % {'company': filters['company'], 'key': searchfield,
-			'txt': "%%%s%%" % frappe.db.escape(txt), 'mcond':get_match_cond(doctype)})
+				and tabAccount.company = %(company)s
+				and tabAccount.{key} LIKE %(txt)s
+				{mcond}""".format( key=frappe.db.escape(searchfield), mcond=get_match_cond(doctype) ),
+				{ 'company': filters['company'], 'txt': "%%%s%%" % frappe.db.escape(txt) })

@frappe.whitelist()
 def make_debit_note(source_name, target_doc=None):
--- a/erpnext/accounts/page/accounts_browser/accounts_browser.py
+++ b/erpnext/accounts/page/accounts_browser/accounts_browser.py
@ -25,9 +25,9 @@ def get_children():
 		acc = frappe.db.sql(""" select
 			name as value, is_group as expandable %s
 			from `tab%s`
-			where ifnull(parent_%s,'') = ''
+			where ifnull(`parent_%s`,'') = ''
 			and `company` = %s	and docstatus<2
-			order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				company, as_dict=1)

 		if args["parent"]=="Accounts":
@ -38,9 +38,9 @@ def get_children():
 		acc = frappe.db.sql("""select
 			name as value, is_group as expandable %s
 	 		from `tab%s`
-			where ifnull(parent_%s,'') = %s
+			where ifnull(`parent_%s`,'') = %s
 			and docstatus<2
-			order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+			order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				args['parent'], as_dict=1)

 	if ctype == 'Account':
--- a/erpnext/accounts/utils.py
+++ b/erpnext/accounts/utils.py
@ -65,7 +65,7 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco

 	cond = []
 	if date:
-		cond.append("posting_date <= '%s'" % date)
+		cond.append("posting_date <= '%s'" % frappe.db.escape(date))
 	else:
 		# get balance of all entries that exist
 		date = nowdate()
@ -105,11 +105,11 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco
 			if acc.account_currency == frappe.db.get_value("Company", acc.company, "default_currency"):
 				in_account_currency = False
 		else:
-			cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
+			cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), ))

 	if party_type and party:
 		cond.append("""gle.party_type = "%s" and gle.party = "%s" """ %
-			(party_type.replace('"', '\\"'), party.replace('"', '\\"')))
+			(frappe.db.escape(party_type), frappe.db.escape(party)))

 	if account or (party_type and party):
 		if in_account_currency:
--- a/erpnext/projects/utils.py
+++ b/erpnext/projects/utils.py
@ -13,12 +13,12 @@ def get_time_log_list(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist()
 def query_task(doctype, txt, searchfield, start, page_len, filters):
 	from frappe.desk.reportview import build_match_conditions
-	
+
 	search_string = "%%%s%%" % txt
 	order_by_string = "%s%%" % txt
 	match_conditions = build_match_conditions("Task")
 	match_conditions = ("and" + match_conditions) if match_conditions else ""
-	
+
 	return frappe.db.sql("""select name, subject from `tabTask`
 		where (`%s` like %s or `subject` like %s) %s
 		order by
@ -26,7 +26,7 @@ def query_task(doctype, txt, searchfield, start, page_len, filters):
 			case when `%s` like %s then 0 else 1 end,
 			`%s`,
 			subject
-		limit %s, %s""" % 
-		(searchfield, "%s", "%s", match_conditions, "%s", 
-			searchfield, "%s", searchfield, "%s", "%s"),
-		(search_string, search_string, order_by_string, order_by_string, start, page_len))
+		limit %s, %s""" %
+		(frappe.db.escape(searchfield), "%s", "%s", match_conditions, "%s",
+			frappe.db.escape(searchfield), "%s", frappe.db.escape(searchfield), "%s", "%s"),
+		(search_string, search_string, order_by_string, order_by_string, start, page_len))
--- a/erpnext/selling/doctype/sales_order/sales_order.py
+++ b/erpnext/selling/doctype/sales_order/sales_order.py
@ -607,7 +607,7 @@ def get_supplier(doctype, txt, searchfield, start, page_len, filters):
 			name, supplier_name
 		limit %(start)s, %(page_len)s """.format(**{
 			'field': fields,
-			'key': searchfield
+			'key': frappe.db.escape(searchfield)
 		}), {
 			'txt': "%%%s%%" % txt,
 			'_txt': txt.replace("%", ""),
--- a/erpnext/selling/page/sales_browser/sales_browser.py
+++ b/erpnext/selling/page/sales_browser/sales_browser.py
@ -8,16 +8,16 @@ import frappe
@frappe.whitelist()
 def get_children():
 	ctype = frappe.local.form_dict.get('ctype')
-	frappe.local.form_dict['parent_field'] = 'parent_' + ctype.lower().replace(' ', '_')
-	if not frappe.form_dict.get('parent'):
-		frappe.local.form_dict['parent'] = ''
+	parent_field = 'parent_' + ctype.lower().replace(' ', '_')
+	parent = frappe.form_dict.get("parent") or ""

 	return frappe.db.sql("""select name as value,
 		if(is_group='Yes', 1, 0) as expandable
-		from `tab%(ctype)s`
+		from `tab{ctype}`
 		where docstatus < 2
-		and ifnull(%(parent_field)s,'') = "%(parent)s"
-		order by name""" % frappe.local.form_dict, as_dict=1)
+		and ifnull(`{parent_field}`,'') = %s
+		order by name""".format(ctype=frappe.db.escape(ctype), parent_field=frappe.db.escape(parent_field)),
+		parent, as_dict=1)

@frappe.whitelist()
 def add_node():
--- a/erpnext/setup/doctype/sms_settings/sms_settings.py
+++ b/erpnext/setup/doctype/sms_settings/sms_settings.py
@ -42,7 +42,7 @@ def get_sender_name():
 def get_contact_number(contact_name, value, key):
 	"returns mobile number of the contact"
 	number = frappe.db.sql("""select mobile_no, phone from tabContact where name=%s and %s=%s""" %
-		('%s', key, '%s'), (contact_name, value))
+		('%s', frappe.db.escape(key), '%s'), (contact_name, value))
 	return number and (number[0][0] or number[0][1]) or ''

@frappe.whitelist()
@ -94,7 +94,7 @@ def send_request(gateway_url, args):
 	headers = {}
 	headers['Accept'] = "text/plain, text/html, */*"
 	conn.request('GET', api_url + urllib.urlencode(args), headers = headers)    # send request
-	resp = conn.getresponse()     # get response		
+	resp = conn.getresponse()     # get response
 	return resp.status

 # Split gateway url to server and api url
--- a/erpnext/utilities/doctype/address/address.py
+++ b/erpnext/utilities/doctype/address/address.py
@ -35,7 +35,7 @@ class Address(Document):
 			for fieldname in self.link_fields:
 				if self.get(fieldname):
 					if not frappe.db.sql("""select name from `tabAddress` where is_primary_address=1
-						and `%s`=%s and name!=%s""" % (fieldname, "%s", "%s"),
+						and `%s`=%s and name!=%s""" % (frappe.db.escape(fieldname), "%s", "%s"),
 						(self.get(fieldname), self.name)):
 							self.is_primary_address = 1
 					break