[Mpuls-commits] r4915 - in base/trunk: . mpulsweb/controllers mpulsweb/lib mpulsweb/templates/evaluation
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Apr 15 17:56:53 CEST 2011
Author: bh
Date: 2011-04-15 17:56:52 +0200 (Fri, 15 Apr 2011)
New Revision: 4915
Modified:
base/trunk/ChangeLog
base/trunk/mpulsweb/controllers/case_bundle.py
base/trunk/mpulsweb/controllers/case_overview.py
base/trunk/mpulsweb/controllers/evaluate.py
base/trunk/mpulsweb/controllers/evaluation_overview.py
base/trunk/mpulsweb/lib/validators.py
base/trunk/mpulsweb/templates/evaluation/evaluate.mako
base/trunk/mpulsweb/templates/evaluation/overview.mako
Log:
Remove the id_field form parameter to avoid SQL injections.
Fixes the rest of mpuls/issue1961
The solution analogous to the handling of sql_where. After a
search, the value is stored in the session under the key
'id_field_candidate'. If cases/agencies are marked for evaluation
the value is copied in the session to the key 'id_field'. The same
limitation with multiple overlapping searches as with sql_where
applies here, too.
* mpulsweb/controllers/case_bundle.py
(CaseBundleController.bundleAction): Copy id_field_candidate to
id_field in the session data.
* mpulsweb/controllers/case_overview.py
(CaseOverviewController._renderOverview): Save id_field_candidate
in the session.
* mpulsweb/controllers/evaluate.py (get_search_options): emove
parameter id_field. That parameter is not a form parameter
anymore.
(EvaluateController.evaluate): Adapt to get_search_options
changes.
(EvaluateController._get_evalparams): Add parameter id_field. That
parameter is not in the form_result, but is part of the parameters
that will be passed to libmpuls, so it needs to be passed
separately.
(EvaluateController.evaluateAction): Pass id_field taken from the
session data to _get_evalparams.
* mpulsweb/controllers/evaluation_overview.py
(EvaluationOverviewController.overview): Save the id field name in
the session under the key 'id_field_candidate.
(EvaluationOverviewController.bundleAction): Copy
id_field_candidate to id_field in the session data.
* mpulsweb/lib/validators.py (EvaluationFormValidator.id_field)
(BundleActionForm.id_field): Removed. Not used anymore.
* mpulsweb/templates/evaluation/overview.mako,
mpulsweb/templates/evaluation/evaluate.mako: Remove hidden
parameter id_field
Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/ChangeLog 2011-04-15 15:56:52 UTC (rev 4915)
@@ -1,5 +1,50 @@
2011-04-15 Bernhard Herzog <bh at intevation.de>
+ Remove the id_field form parameter to avoid SQL injections.
+ Fixes the rest of mpuls/issue1961
+
+ The solution analogous to the handling of sql_where. After a
+ search, the value is stored in the session under the key
+ 'id_field_candidate'. If cases/agencies are marked for evaluation
+ the value is copied in the session to the key 'id_field'. The same
+ limitation with multiple overlapping searches as with sql_where
+ applies here, too.
+
+ * mpulsweb/controllers/evaluation_overview.py
+ (EvaluationOverviewController.overview): Save the id field name in
+ the session under the key 'id_field_candidate.
+ (EvaluationOverviewController.bundleAction): Copy
+ id_field_candidate to id_field in the session data.
+
+ * mpulsweb/controllers/case_overview.py
+ (CaseOverviewController._renderOverview): Save id_field_candidate
+ in the session.
+
+ * mpulsweb/controllers/evaluate.py (get_search_options): emove
+ parameter id_field. That parameter is not a form parameter
+ anymore.
+ (EvaluateController.evaluate): Adapt to get_search_options
+ changes.
+ (EvaluateController._get_evalparams): Add parameter id_field. That
+ parameter is not in the form_result, but is part of the parameters
+ that will be passed to libmpuls, so it needs to be passed
+ separately.
+ (EvaluateController.evaluateAction): Pass id_field taken from the
+ session data to _get_evalparams.
+
+ * mpulsweb/controllers/case_bundle.py
+ (CaseBundleController.bundleAction): Copy id_field_candidate to
+ id_field in the session data.
+
+ * mpulsweb/lib/validators.py (EvaluationFormValidator.id_field)
+ (BundleActionForm.id_field): Removed. Not used anymore.
+
+ * mpulsweb/templates/evaluation/overview.mako,
+ mpulsweb/templates/evaluation/evaluate.mako: Remove hidden
+ parameter id_field
+
+2011-04-15 Bernhard Herzog <bh at intevation.de>
+
Remove the sql_where form parameter to avoid SQL injections.
Fixes part of mpuls/issue1961
Modified: base/trunk/mpulsweb/controllers/case_bundle.py
===================================================================
--- base/trunk/mpulsweb/controllers/case_bundle.py 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/controllers/case_bundle.py 2011-04-15 15:56:52 UTC (rev 4915)
@@ -192,7 +192,7 @@
session['casebundle'] = case_bundle
session["evaluation_ids"] = case_bundle.listDatasetIds()
- session["id_field"] = form_result.get('id_field')
+ session["id_field"] = session.get('id_field_candidate')
session["sql_where"] = session.get('sql_where_candidate')
session.save()
c.url_ok = url_for(controller='/case_overview')
Modified: base/trunk/mpulsweb/controllers/case_overview.py
===================================================================
--- base/trunk/mpulsweb/controllers/case_overview.py 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/controllers/case_overview.py 2011-04-15 15:56:52 UTC (rev 4915)
@@ -133,7 +133,7 @@
if form_defaults.get('editor') != -1:
c.hide_evaluation = True
- form_defaults["id_field"] = "m.id"
+ session["id_field_candidate"] = "m.id"
form_defaults["all_ids"] = " ".join(unicode(case.id)
for case in cases.getDatasets())
c.cases = cases
Modified: base/trunk/mpulsweb/controllers/evaluate.py
===================================================================
--- base/trunk/mpulsweb/controllers/evaluate.py 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/controllers/evaluate.py 2011-04-15 15:56:52 UTC (rev 4915)
@@ -48,11 +48,10 @@
return sdate, edate
-def get_search_options(soptions=None, id=None, selected_ids=(), id_field=None):
+def get_search_options(soptions=None, id=None, selected_ids=()):
options = {}
options['id'] = id
options["selected_ids"] = selected_ids
- options["id_field"] = id_field
options['typelist'] = c.evalconfig.get_evaluations()
# set default evaluation options.
@@ -90,8 +89,7 @@
c.evalconfig = EvaluationConfig(get_configfile(id), None, None, None,
None, None, None, None, None)
evaloptions = get_search_options(session.get('evaluation.options'), id,
- session.get("evaluation_ids", ()),
- session.get("id_field"))
+ session.get("evaluation_ids", ()))
# If user selects adele-evaluation render page with disabled
# configuration elements. Change default params
@@ -108,7 +106,7 @@
return formencode.htmlfill.render(form, defaults=defaults,
errors={}, auto_insert_errors=False)
- def _get_evalparams(self, form_result, sql_where):
+ def _get_evalparams(self, form_result, id_field, sql_where):
params = {}
params['id'] = form_result['id']
params['start_date'] = str(form_result['start_date'])
@@ -152,7 +150,6 @@
where_clauses.append("".join(dates))
selected_ids = "TRUE"
- id_field = form_result.get("id_field")
if form_result.get("selected_ids"):
selected_ids = ("(%s in (%s))"
% (id_field,
@@ -211,7 +208,7 @@
auto_insert_errors=False)
# Build evaluation
- eval_params = self._get_evalparams(form_result,
+ eval_params = self._get_evalparams(form_result, session.get("id_field"),
session.get("sql_where"))
try:
try:
Modified: base/trunk/mpulsweb/controllers/evaluation_overview.py
===================================================================
--- base/trunk/mpulsweb/controllers/evaluation_overview.py 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/controllers/evaluation_overview.py 2011-04-15 15:56:52 UTC (rev 4915)
@@ -140,7 +140,7 @@
overview = render('/evaluation/overview.mako')
form_defaults = search_options_copy or request.params.mixed()
- form_defaults["id_field"] = "m.fkz::integer"
+ session["id_field_candidate"] = "m.fkz::integer"
form_defaults["all_ids"] = " ".join(unicode(case.id)
for case in c.cases.getDatasets() if case.id)
session["sql_where_candidate"] = c.cases.getWhereSQL()
@@ -209,7 +209,7 @@
return self.no_action()
if action == 'evaluate':
session["evaluation_ids"] = form_result.get('case_id')
- session["id_field"] = form_result.get('id_field')
+ session["id_field"] = session.get("id_field_candidate")
session["sql_where"] = session.get("sql_where_candidate")
if form_result.get('all_cases') > 0:
session["evaluation_ids"] = form_result.get('all_ids')
Modified: base/trunk/mpulsweb/lib/validators.py
===================================================================
--- base/trunk/mpulsweb/lib/validators.py 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/lib/validators.py 2011-04-15 15:56:52 UTC (rev 4915)
@@ -672,7 +672,6 @@
type_ending = ForEach(String(), convert_to_list=True)
phase = ForEach(String(), convert_to_list=True)
show_percent = Bool(if_missing=False)
- id_field = String(if_missing=None)
selected_ids = Wrapper(to_python=lambda s: [int(item)
for item in s.split()],
from_python=lambda ids: " ".join(map(unicode, ids)),
@@ -706,7 +705,6 @@
'formletter:1', 'formletter:2', 'formletter:3','formletter:4', 'formletter:5',
'evaluate']))
case_id = ForEach(Int(), convert_to_list=True)
- id_field = String(if_missing=None)
all_ids = Wrapper(to_python=lambda s: [int(item) for item in s.split()])
Modified: base/trunk/mpulsweb/templates/evaluation/evaluate.mako
===================================================================
--- base/trunk/mpulsweb/templates/evaluation/evaluate.mako 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/templates/evaluation/evaluate.mako 2011-04-15 15:56:52 UTC (rev 4915)
@@ -70,7 +70,6 @@
"%d cases have been selected for evaluation",
len(evaluation_ids)) % len(evaluation_ids))}
<input type="hidden" name="selected_ids">
- <input type="hidden" name="id_field">
</td>
</tr>
% endif
Modified: base/trunk/mpulsweb/templates/evaluation/overview.mako
===================================================================
--- base/trunk/mpulsweb/templates/evaluation/overview.mako 2011-04-15 14:42:47 UTC (rev 4914)
+++ base/trunk/mpulsweb/templates/evaluation/overview.mako 2011-04-15 15:56:52 UTC (rev 4915)
@@ -23,7 +23,6 @@
<input type="checkbox" name="all_cases" id="all_cases" value="1"><label for="all_cases">
${ungettext('Select the %s found agency.', 'Select all %s found agencys', c.count_all) % c.count_agency}</label>
<input type="hidden" name="all_ids" value="">
- <input type="hidden" name="id_field" value="">
</div>
<div class="waska_form_element w30">
<select name="action">
More information about the Mpuls-commits
mailing list