SQL injection vulnerability in ir.sequence
Bug #512682 reported by
Albert Cervera i Areny - http://www.NaN-tic.com
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Critical
|
Christophe Simonis (OpenERP) |
Bug Description
In ir_sequence.py:73:
def get_id(self, cr, uid, sequence_id, test='id=%s', context=None):
cr.
Revising the recently commited patch to ir_sequence.py I realized there's an obvious SQL injection vulnerability. The bug requires changes in several modules that use this functionality. More precisely:
account/sequence.py
account_
base_module_
base_module_
Changed in openobject-server: | |
importance: | Undecided → Critical |
milestone: | none → 5.0.7 |
Changed in openobject-server: | |
status: | New → Confirmed |
assignee: | nobody → Christophe (OpenERP) (kangol) |
security vulnerability: | no → yes |
Changed in openobject-server: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
The attached patch fixes the problem in ir_sequence.py