[Mpuls-commits] r4814 - in base/trunk: . mpulsweb/controllers
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Mon Mar 28 10:55:17 CEST 2011
Author: roland
Date: 2011-03-28 10:55:15 +0200 (Mon, 28 Mar 2011)
New Revision: 4814
Modified:
base/trunk/ChangeLog
base/trunk/mpulsweb/controllers/evaluate.py
Log:
issue1961: comment code allowing for SQL injection
Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog 2011-03-25 13:31:42 UTC (rev 4813)
+++ base/trunk/ChangeLog 2011-03-28 08:55:15 UTC (rev 4814)
@@ -1,3 +1,8 @@
+2011-03-28 Roland Geider <roland.geider at intevation.de>
+
+ * mpulsweb/controllers/evaluate.py: issue1961: comment code allowing
+ for SQL injection
+
2011-03-21 Roland Geider <roland.geider at intevation.de>
* mpulsweb/templates/privacy/dialogs/missing_statement_body.mako:
Modified: base/trunk/mpulsweb/controllers/evaluate.py
===================================================================
--- base/trunk/mpulsweb/controllers/evaluate.py 2011-03-25 13:31:42 UTC (rev 4813)
+++ base/trunk/mpulsweb/controllers/evaluate.py 2011-03-28 08:55:15 UTC (rev 4814)
@@ -222,7 +222,13 @@
eval_params['start_date'],
eval_params['end_date'],
None, None, None,
- eval_params['sql'],
+
+ # issue1961: SQL-injection possible
+ # through parameter, so set to None
+ # for the moment (application server)
+ #eval_params['sql'],
+ None,
+
eval_params['typelist'])
evalset = EvaluationSet(evalconfig)
evalset.evaluate()
More information about the Mpuls-commits
mailing list