Shiloh/brotherton-erpnext
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[fix] injection

Browse Source
This commit is contained in:
Anand Doshi 2015-11-17 18:27:50 +05:30
parent 3667da1053
commit da79740cdf
11 changed files with 53 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
erpnext/accounts/doctype/journal_entry/journal_entry.py
View File

@ -2,7 +2,7 @@
# License: GNU General Public License v3. See license.txt
from __future__ import unicode_literals
import frappe
import frappe, json
from frappe.utils import cstr, flt, fmt_money, formatdate
from frappe import msgprint, _, scrub
from erpnext.controllers.accounts_controller import AccountsController
@ -647,14 +647,17 @@ def get_against_jv(doctype, txt, searchfield, start, page_len, filters):
from `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail
where jv_detail.parent = jv.name and jv_detail.account = %s and ifnull(jv_detail.party, '') = %s
and ifnull(jv_detail.reference_type, '') = ''
and jv.docstatus = 1 and jv.{0} like %s order by jv.name desc limit %s, %s""".format(searchfield),
and jv.docstatus = 1 and jv.`{0}` like %s order by jv.name desc limit %s, %s""".format(frappe.db.escape(searchfield)),
(filters.get("account"), cstr(filters.get("party")), "%{0}%".format(txt), start, page_len))
@frappe.whitelist()
def get_outstanding(args):
if not frappe.has_permission("Account"):
frappe.msgprint(_("No Permission"), raise_exception=1)
args = eval(args)
if isinstance(args, basestring):
args = json.loads(args)
company_currency = get_company_currency(args.get("company"))
if args.get("doctype") == "Journal Entry":

2
erpnext/accounts/doctype/payment_tool/payment_tool.py
View File

@ -125,6 +125,6 @@ def get_against_voucher_amount(against_voucher_type, against_voucher_no, party_a
select_cond = "{0} as total_amount".format(ref_field)
details = frappe.db.sql("""select {0} from `tab{1}` where name = %s"""
.format(select_cond, against_voucher_type), against_voucher_no, as_dict=1)
.format(select_cond, frappe.db.escape(against_voucher_type)), against_voucher_no, as_dict=1)
return details[0] if details else {}

2
erpnext/accounts/doctype/pricing_rule/pricing_rule.py
View File

@ -179,7 +179,7 @@ def get_pricing_rules(args):
if parent_groups:
if allow_blank: parent_groups.append('')
condition = " ifnull("+field+", '') in ('" + \
"', '".join([d.replace("'", "\\'").replace('"', '\\"').replace("%", "%%") for d in parent_groups])+"')"
"', '".join([frappe.db.escape(d) for d in parent_groups])+"')"
return condition

8
erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
View File

@ -438,10 +438,10 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
or tabAccount.account_type in ("Expense Account", "Fixed Asset", "Temporary"))
and tabAccount.is_group=0
and tabAccount.docstatus!=2
and tabAccount.company = '%(company)s'
and tabAccount.%(key)s LIKE '%(txt)s'
%(mcond)s""" % {'company': filters['company'], 'key': searchfield,
'txt': "%%%s%%" % frappe.db.escape(txt), 'mcond':get_match_cond(doctype)})
and tabAccount.company = %(company)s
and tabAccount.{key} LIKE %(txt)s
{mcond}""".format( key=frappe.db.escape(searchfield), mcond=get_match_cond(doctype) ),
{ 'company': filters['company'], 'txt': "%%%s%%" % frappe.db.escape(txt) })
@frappe.whitelist()
def make_debit_note(source_name, target_doc=None):

8
erpnext/accounts/page/accounts_browser/accounts_browser.py
View File

@ -25,9 +25,9 @@ def get_children():
acc = frappe.db.sql(""" select
name as value, is_group as expandable %s
from `tab%s`
where ifnull(parent_%s,'') = ''
where ifnull(`parent_%s`,'') = ''
and `company` = %s and docstatus<2
order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
company, as_dict=1)
if args["parent"]=="Accounts":
@ -38,9 +38,9 @@ def get_children():
acc = frappe.db.sql("""select
name as value, is_group as expandable %s
from `tab%s`
where ifnull(parent_%s,'') = %s
where ifnull(`parent_%s`,'') = %s
and docstatus<2
order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
args['parent'], as_dict=1)
if ctype == 'Account':

6
erpnext/accounts/utils.py
View File

@ -65,7 +65,7 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco
cond = []
if date:
cond.append("posting_date <= '%s'" % date)
cond.append("posting_date <= '%s'" % frappe.db.escape(date))
else:
# get balance of all entries that exist
date = nowdate()
@ -105,11 +105,11 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco
if acc.account_currency == frappe.db.get_value("Company", acc.company, "default_currency"):
in_account_currency = False
else:
cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), ))
if party_type and party:
cond.append("""gle.party_type = "%s" and gle.party = "%s" """ %
(party_type.replace('"', '\\"'), party.replace('"', '\\"')))
(frappe.db.escape(party_type), frappe.db.escape(party)))
if account or (party_type and party):
if in_account_currency:

4
erpnext/projects/utils.py
View File

@ -27,6 +27,6 @@ def query_task(doctype, txt, searchfield, start, page_len, filters):
`%s`,
subject
limit %s, %s""" %
(searchfield, "%s", "%s", match_conditions, "%s",
searchfield, "%s", searchfield, "%s", "%s"),
(frappe.db.escape(searchfield), "%s", "%s", match_conditions, "%s",
frappe.db.escape(searchfield), "%s", frappe.db.escape(searchfield), "%s", "%s"),
(search_string, search_string, order_by_string, order_by_string, start, page_len))

2
erpnext/selling/doctype/sales_order/sales_order.py
View File

@ -607,7 +607,7 @@ def get_supplier(doctype, txt, searchfield, start, page_len, filters):
name, supplier_name
limit %(start)s, %(page_len)s """.format(**{
'field': fields,
'key': searchfield
'key': frappe.db.escape(searchfield)
}), {
'txt': "%%%s%%" % txt,
'_txt': txt.replace("%", ""),

12
erpnext/selling/page/sales_browser/sales_browser.py
View File

@ -8,16 +8,16 @@ import frappe
@frappe.whitelist()
def get_children():
ctype = frappe.local.form_dict.get('ctype')
frappe.local.form_dict['parent_field'] = 'parent_' + ctype.lower().replace(' ', '_')
if not frappe.form_dict.get('parent'):
frappe.local.form_dict['parent'] = ''
parent_field = 'parent_' + ctype.lower().replace(' ', '_')
parent = frappe.form_dict.get("parent") or ""
return frappe.db.sql("""select name as value,
if(is_group='Yes', 1, 0) as expandable
from `tab%(ctype)s`
from `tab{ctype}`
where docstatus < 2
and ifnull(%(parent_field)s,'') = "%(parent)s"
order by name""" % frappe.local.form_dict, as_dict=1)
and ifnull(`{parent_field}`,'') = %s
order by name""".format(ctype=frappe.db.escape(ctype), parent_field=frappe.db.escape(parent_field)),
parent, as_dict=1)
@frappe.whitelist()
def add_node():

2
erpnext/setup/doctype/sms_settings/sms_settings.py
View File

@ -42,7 +42,7 @@ def get_sender_name():
def get_contact_number(contact_name, value, key):
"returns mobile number of the contact"
number = frappe.db.sql("""select mobile_no, phone from tabContact where name=%s and %s=%s""" %
('%s', key, '%s'), (contact_name, value))
('%s', frappe.db.escape(key), '%s'), (contact_name, value))
return number and (number[0][0] or number[0][1]) or ''
@frappe.whitelist()

2
erpnext/utilities/doctype/address/address.py
View File

@ -35,7 +35,7 @@ class Address(Document):
for fieldname in self.link_fields:
if self.get(fieldname):
if not frappe.db.sql("""select name from `tabAddress` where is_primary_address=1
and `%s`=%s and name!=%s""" % (fieldname, "%s", "%s"),
and `%s`=%s and name!=%s""" % (frappe.db.escape(fieldname), "%s", "%s"),
(self.get(fieldname), self.name)):
self.is_primary_address = 1
break