Commit 283a8547 authored by Nicolas Delaby's avatar Nicolas Delaby

Escape login with sql_quote in Security Query

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@24812 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent d57a8db6
......@@ -50,6 +50,7 @@ from Products.PageTemplates.Expressions import getEngine
from MethodObject import Method
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from DocumentTemplate.DT_Var import sql_quote
import os, time, urllib, warnings
import sys
......@@ -564,7 +565,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
else:
# XXX: What with this string transformation ?! Souldn't it be done in
# dtml instead ?
allowedRolesAndUsers = ["'%s'" % (role, ) for role in allowedRolesAndUsers]
allowedRolesAndUsers = ["'%s'" % (sql_quote(role), ) for role in allowedRolesAndUsers]
security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
security_uid_cache[cache_key] = security_uid_list
else:
......
......@@ -2961,6 +2961,23 @@ VALUES
strict_group_related_description='c')]
self.assertEquals(category_list,[sub_group_nexedi])
def test_EscapingLoginInSescurityQuery(self,
quiet=quiet, run=run_all_test):
if not run: return
if not quiet:
message = 'Test that login are escaped when call security_query'
ZopeTestCase._print('\n%s ' % message)
LOG('Testing... ',0,message)
# Create some objects
reference = "aaa.o'connor@fake.ie"
portal = self.getPortal()
uf = self.portal.acl_users
uf._doAddUser(reference, 'secret', ['Member'], [])
user = uf.getUserById(reference).__of__(uf)
newSecurityManager(None, user)
portal.view()
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestERP5Catalog))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment