Odoo Server (MOVED TO GITHUB)

safe_eval _import method restrict modules to use in python code fields, and have a missing argument too

Bug #1199136 reported by Katherine Zaoral (Vauxoo)
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
New
Undecided
Unassigned

Bug Description

I was trying to create a Salary Rule object in the HR Payroll Module, adding a python code into a python field.

I figure it out that i was limited to only import ['_strptime', 'time'] modules for use their methods in the python field. Debugging a little into the openerp/server/tools i found out that this was restrictive for the variable:

   _ALLOWED_MODULES = ['_strptime', 'time']

When I tried to add another python modules that I need, datetime and dateutil, it wont let me, so I add this two modules to the _ALLOWED_MODULES var and then it works, I was able to use all the modules I import that remains to into this variable.

   _ALLOWED_MODULES = ['_strptime', 'time', 'datetime', 'dateutil']

The _ALLOWED_MODULES variable is only use in this field and for the import purpose.

Also the server log raise an exception when trying to use the complete signature for the __import__() built-in method, it raise and make import error. For example, I use this signature:
     dateutil = __import__('dateutil', globals(), locals(), ['rrule', 'MO', 'DAILY'], -1)

Check into the save_eval code and discover that the fromlist argument of this function was missing when the import builtin function was overwritten by openerp. I added the argument at the overwrite method and then it works perfectly.

See original description
Revision history for this message
Katherine Zaoral (Vauxoo) (kathy-zaoral) wrote :
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.