Missing protection against '%' in user data

Bug #1100907 reported by Christophe Combelles
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
Confirmed
Medium
OpenERP's Framework R&D

Bug Description

On latest 7.0 branch :

- create an empty database
- install the 'sale' app
- enable user CSV import in the settings
- enable pricelists in the sale config
- Create a file pricelist.csv containing :

"active",".id","currency_id","id","name","visible_discount","company_id","type","version_id"
"True","6","EUR (€)","list3","Public Pricelist -3%","True","","sale","Public Pricelist Version -3%"

- Select this file in the import wizard of the pricelist list view.
- click on Validate

=> traceback
  File "/home/dadafkas/projets/anybox/buildout.7.0/parts/openobject-server/7.0/openerp/osv/orm.py", line 1483, in _log
    message=unicode(exception.args[0]) % base)
ValueError: unsupported format character ''' (0x27) at index 67

The problem comes from the '%' in the user data, being interpreted by the % formatting. The bug is located in several places in the code, I could only find a few of them:

openobject-server/openerp/addons/base/ir/ir_fields.py:174
openobject-server/openerp/addons/base/ir/ir_fields.py:182
openobject-server/openerp/addons/base/ir/ir_fields.py:195
openobject-server/openerp/addons/base/ir/ir_fields.py:226
openobject-server/openerp/addons/base/ir/ir_fields.py:265
openobject-server/openerp/addons/base/ir/ir_fields.py:313
openobject-server/openerp/addons/base/ir/ir_fields.py:342

The quickfix is to *.replace('%', '%%')

description: updated
description: updated
summary: - bad raise depending on user data
+ Missing protection against '%' in user data
description: updated
Revision history for this message
Christophe Combelles (ccomb) wrote :

Here is a sample fix, but it does not contain additional unit tests for all these cases, which may be a good idea https://code.launchpad.net/~anybox/openobject-server/lp1100907

Changed in openobject-server:
status: New → Confirmed
status: Confirmed → New
Changed in openobject-server:
assignee: nobody → OpenERP's Framework R&D (openerp-dev-framework)
importance: Undecided → Medium
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.