From da79740cdfe4dd73e5ef3840ba45ad2c8df2cb78 Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Tue, 17 Nov 2015 18:27:50 +0530 Subject: [PATCH] [fix] injection --- .../doctype/journal_entry/journal_entry.py | 41 ++++++++++--------- .../doctype/payment_tool/payment_tool.py | 2 +- .../doctype/pricing_rule/pricing_rule.py | 2 +- .../purchase_invoice/purchase_invoice.py | 12 +++--- .../page/accounts_browser/accounts_browser.py | 8 ++-- erpnext/accounts/utils.py | 6 +-- erpnext/projects/utils.py | 12 +++--- .../doctype/sales_order/sales_order.py | 2 +- .../page/sales_browser/sales_browser.py | 12 +++--- .../doctype/sms_settings/sms_settings.py | 4 +- erpnext/utilities/doctype/address/address.py | 2 +- 11 files changed, 53 insertions(+), 50 deletions(-) diff --git a/erpnext/accounts/doctype/journal_entry/journal_entry.py b/erpnext/accounts/doctype/journal_entry/journal_entry.py index c5035adcb6b..1a90aabb951 100644 --- a/erpnext/accounts/doctype/journal_entry/journal_entry.py +++ b/erpnext/accounts/doctype/journal_entry/journal_entry.py @@ -2,7 +2,7 @@ # License: GNU General Public License v3. See license.txt from __future__ import unicode_literals -import frappe +import frappe, json from frappe.utils import cstr, flt, fmt_money, formatdate from frappe import msgprint, _, scrub from erpnext.controllers.accounts_controller import AccountsController @@ -283,7 +283,7 @@ class JournalEntry(AccountsController): frappe.throw(_("Please check Multi Currency option to allow accounts with other currency")) self.set_exchange_rate() - + def set_amounts_in_company_currency(self): for d in self.get("accounts"): d.debit = flt(flt(d.debit_in_account_currency)*flt(d.exchange_rate), d.precision("debit")) @@ -520,14 +520,14 @@ def get_default_bank_cash_account(company, voucher_type, mode_of_payment=None): "account_currency": account_details.account_currency, "account_type": account_details.account_type } - + @frappe.whitelist() def get_payment_entry_against_order(dt, dn): ref_doc = frappe.get_doc(dt, dn) - + if flt(ref_doc.per_billed, 2) > 0: frappe.throw(_("Can only make payment against unbilled {0}").format(dt)) - + if dt == "Sales Order": party_type = "Customer" amount_field_party = "credit_in_account_currency" @@ -536,15 +536,15 @@ def get_payment_entry_against_order(dt, dn): party_type = "Supplier" amount_field_party = "debit_in_account_currency" amount_field_bank = "credit_in_account_currency" - + party_account = get_party_account(party_type, ref_doc.get(party_type.lower()), ref_doc.company) party_account_currency = get_account_currency(party_account) - + if party_account_currency == ref_doc.company_currency: amount = flt(ref_doc.base_grand_total) - flt(ref_doc.advance_paid) else: amount = flt(ref_doc.grand_total) - flt(ref_doc.advance_paid) - + return get_payment_entry(ref_doc, { "party_type": party_type, "party_account": party_account, @@ -555,7 +555,7 @@ def get_payment_entry_against_order(dt, dn): "remarks": 'Advance Payment received against {0} {1}'.format(dt, dn), "is_advance": "Yes" }) - + @frappe.whitelist() def get_payment_entry_against_invoice(dt, dn): ref_doc = frappe.get_doc(dt, dn) @@ -569,7 +569,7 @@ def get_payment_entry_against_invoice(dt, dn): party_account = ref_doc.credit_to amount_field_party = "debit_in_account_currency" amount_field_bank = "credit_in_account_currency" - + return get_payment_entry(ref_doc, { "party_type": party_type, "party_account": party_account, @@ -580,10 +580,10 @@ def get_payment_entry_against_invoice(dt, dn): "remarks": 'Payment received against {0} {1}. {2}'.format(dt, dn, ref_doc.remarks), "is_advance": "No" }) - + def get_payment_entry(ref_doc, args): cost_center = frappe.db.get_value("Company", ref_doc.company, "cost_center") - exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"), + exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"), ref_doc.company, ref_doc.doctype, ref_doc.name) jv = frappe.new_doc("Journal Entry") @@ -592,7 +592,7 @@ def get_payment_entry(ref_doc, args): "company": ref_doc.company, "remark": args.get("remarks") }) - + party_row = jv.append("accounts", { "account": args.get("party_account"), "party_type": args.get("party_type"), @@ -614,11 +614,11 @@ def get_payment_entry(ref_doc, args): bank_account = get_default_bank_cash_account(ref_doc.company, "Bank Entry") if bank_account: bank_row.update(bank_account) - bank_row.exchange_rate = get_exchange_rate(bank_account["account"], + bank_row.exchange_rate = get_exchange_rate(bank_account["account"], bank_account["account_currency"], ref_doc.company) - + bank_row.cost_center = cost_center - + if bank_row.account_currency == args.get("party_account_currency"): bank_row.set(args.get("amount_field_bank"), args.get("amount")) else: @@ -630,7 +630,7 @@ def get_payment_entry(ref_doc, args): jv.multi_currency = 1 jv.set_amounts_in_company_currency() - + return jv.as_dict() @frappe.whitelist() @@ -647,14 +647,17 @@ def get_against_jv(doctype, txt, searchfield, start, page_len, filters): from `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail where jv_detail.parent = jv.name and jv_detail.account = %s and ifnull(jv_detail.party, '') = %s and ifnull(jv_detail.reference_type, '') = '' - and jv.docstatus = 1 and jv.{0} like %s order by jv.name desc limit %s, %s""".format(searchfield), + and jv.docstatus = 1 and jv.`{0}` like %s order by jv.name desc limit %s, %s""".format(frappe.db.escape(searchfield)), (filters.get("account"), cstr(filters.get("party")), "%{0}%".format(txt), start, page_len)) @frappe.whitelist() def get_outstanding(args): if not frappe.has_permission("Account"): frappe.msgprint(_("No Permission"), raise_exception=1) - args = eval(args) + + if isinstance(args, basestring): + args = json.loads(args) + company_currency = get_company_currency(args.get("company")) if args.get("doctype") == "Journal Entry": diff --git a/erpnext/accounts/doctype/payment_tool/payment_tool.py b/erpnext/accounts/doctype/payment_tool/payment_tool.py index b4e5f89f708..aa7b127ca5b 100644 --- a/erpnext/accounts/doctype/payment_tool/payment_tool.py +++ b/erpnext/accounts/doctype/payment_tool/payment_tool.py @@ -125,6 +125,6 @@ def get_against_voucher_amount(against_voucher_type, against_voucher_no, party_a select_cond = "{0} as total_amount".format(ref_field) details = frappe.db.sql("""select {0} from `tab{1}` where name = %s""" - .format(select_cond, against_voucher_type), against_voucher_no, as_dict=1) + .format(select_cond, frappe.db.escape(against_voucher_type)), against_voucher_no, as_dict=1) return details[0] if details else {} diff --git a/erpnext/accounts/doctype/pricing_rule/pricing_rule.py b/erpnext/accounts/doctype/pricing_rule/pricing_rule.py index 5209e8ec852..5c65e1f0911 100644 --- a/erpnext/accounts/doctype/pricing_rule/pricing_rule.py +++ b/erpnext/accounts/doctype/pricing_rule/pricing_rule.py @@ -179,7 +179,7 @@ def get_pricing_rules(args): if parent_groups: if allow_blank: parent_groups.append('') condition = " ifnull("+field+", '') in ('" + \ - "', '".join([d.replace("'", "\\'").replace('"', '\\"').replace("%", "%%") for d in parent_groups])+"')" + "', '".join([frappe.db.escape(d) for d in parent_groups])+"')" return condition diff --git a/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py b/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py index 91b01d51033..c8f96d3976c 100644 --- a/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py +++ b/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py @@ -106,7 +106,7 @@ class PurchaseInvoice(BuyingController): def check_for_stopped_or_closed_status(self): check_list = [] pc_obj = frappe.get_doc('Purchase Common') - + for d in self.get('items'): if d.purchase_order and not d.purchase_order in check_list and not d.purchase_receipt: check_list.append(d.purchase_order) @@ -395,7 +395,7 @@ class PurchaseInvoice(BuyingController): def on_cancel(self): self.check_for_stopped_or_closed_status() - + if not self.is_return: from erpnext.accounts.utils import remove_against_link_from_jv remove_against_link_from_jv(self.doctype, self.name) @@ -438,10 +438,10 @@ def get_expense_account(doctype, txt, searchfield, start, page_len, filters): or tabAccount.account_type in ("Expense Account", "Fixed Asset", "Temporary")) and tabAccount.is_group=0 and tabAccount.docstatus!=2 - and tabAccount.company = '%(company)s' - and tabAccount.%(key)s LIKE '%(txt)s' - %(mcond)s""" % {'company': filters['company'], 'key': searchfield, - 'txt': "%%%s%%" % frappe.db.escape(txt), 'mcond':get_match_cond(doctype)}) + and tabAccount.company = %(company)s + and tabAccount.{key} LIKE %(txt)s + {mcond}""".format( key=frappe.db.escape(searchfield), mcond=get_match_cond(doctype) ), + { 'company': filters['company'], 'txt': "%%%s%%" % frappe.db.escape(txt) }) @frappe.whitelist() def make_debit_note(source_name, target_doc=None): diff --git a/erpnext/accounts/page/accounts_browser/accounts_browser.py b/erpnext/accounts/page/accounts_browser/accounts_browser.py index 80101ce0c53..210c4bf729c 100644 --- a/erpnext/accounts/page/accounts_browser/accounts_browser.py +++ b/erpnext/accounts/page/accounts_browser/accounts_browser.py @@ -25,9 +25,9 @@ def get_children(): acc = frappe.db.sql(""" select name as value, is_group as expandable %s from `tab%s` - where ifnull(parent_%s,'') = '' + where ifnull(`parent_%s`,'') = '' and `company` = %s and docstatus<2 - order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'), + order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'), company, as_dict=1) if args["parent"]=="Accounts": @@ -38,9 +38,9 @@ def get_children(): acc = frappe.db.sql("""select name as value, is_group as expandable %s from `tab%s` - where ifnull(parent_%s,'') = %s + where ifnull(`parent_%s`,'') = %s and docstatus<2 - order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'), + order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'), args['parent'], as_dict=1) if ctype == 'Account': diff --git a/erpnext/accounts/utils.py b/erpnext/accounts/utils.py index 5d0403ea3a9..c2ada13bedd 100644 --- a/erpnext/accounts/utils.py +++ b/erpnext/accounts/utils.py @@ -65,7 +65,7 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco cond = [] if date: - cond.append("posting_date <= '%s'" % date) + cond.append("posting_date <= '%s'" % frappe.db.escape(date)) else: # get balance of all entries that exist date = nowdate() @@ -105,11 +105,11 @@ def get_balance_on(account=None, date=None, party_type=None, party=None, in_acco if acc.account_currency == frappe.db.get_value("Company", acc.company, "default_currency"): in_account_currency = False else: - cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), )) + cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), )) if party_type and party: cond.append("""gle.party_type = "%s" and gle.party = "%s" """ % - (party_type.replace('"', '\\"'), party.replace('"', '\\"'))) + (frappe.db.escape(party_type), frappe.db.escape(party))) if account or (party_type and party): if in_account_currency: diff --git a/erpnext/projects/utils.py b/erpnext/projects/utils.py index fdd0b52c900..1f6e2b3eaa4 100644 --- a/erpnext/projects/utils.py +++ b/erpnext/projects/utils.py @@ -13,12 +13,12 @@ def get_time_log_list(doctype, txt, searchfield, start, page_len, filters): @frappe.whitelist() def query_task(doctype, txt, searchfield, start, page_len, filters): from frappe.desk.reportview import build_match_conditions - + search_string = "%%%s%%" % txt order_by_string = "%s%%" % txt match_conditions = build_match_conditions("Task") match_conditions = ("and" + match_conditions) if match_conditions else "" - + return frappe.db.sql("""select name, subject from `tabTask` where (`%s` like %s or `subject` like %s) %s order by @@ -26,7 +26,7 @@ def query_task(doctype, txt, searchfield, start, page_len, filters): case when `%s` like %s then 0 else 1 end, `%s`, subject - limit %s, %s""" % - (searchfield, "%s", "%s", match_conditions, "%s", - searchfield, "%s", searchfield, "%s", "%s"), - (search_string, search_string, order_by_string, order_by_string, start, page_len)) \ No newline at end of file + limit %s, %s""" % + (frappe.db.escape(searchfield), "%s", "%s", match_conditions, "%s", + frappe.db.escape(searchfield), "%s", frappe.db.escape(searchfield), "%s", "%s"), + (search_string, search_string, order_by_string, order_by_string, start, page_len)) diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py index 2f4884b185b..5ceeea8518b 100644 --- a/erpnext/selling/doctype/sales_order/sales_order.py +++ b/erpnext/selling/doctype/sales_order/sales_order.py @@ -607,7 +607,7 @@ def get_supplier(doctype, txt, searchfield, start, page_len, filters): name, supplier_name limit %(start)s, %(page_len)s """.format(**{ 'field': fields, - 'key': searchfield + 'key': frappe.db.escape(searchfield) }), { 'txt': "%%%s%%" % txt, '_txt': txt.replace("%", ""), diff --git a/erpnext/selling/page/sales_browser/sales_browser.py b/erpnext/selling/page/sales_browser/sales_browser.py index cfb283e262b..018ba3b0811 100644 --- a/erpnext/selling/page/sales_browser/sales_browser.py +++ b/erpnext/selling/page/sales_browser/sales_browser.py @@ -8,16 +8,16 @@ import frappe @frappe.whitelist() def get_children(): ctype = frappe.local.form_dict.get('ctype') - frappe.local.form_dict['parent_field'] = 'parent_' + ctype.lower().replace(' ', '_') - if not frappe.form_dict.get('parent'): - frappe.local.form_dict['parent'] = '' + parent_field = 'parent_' + ctype.lower().replace(' ', '_') + parent = frappe.form_dict.get("parent") or "" return frappe.db.sql("""select name as value, if(is_group='Yes', 1, 0) as expandable - from `tab%(ctype)s` + from `tab{ctype}` where docstatus < 2 - and ifnull(%(parent_field)s,'') = "%(parent)s" - order by name""" % frappe.local.form_dict, as_dict=1) + and ifnull(`{parent_field}`,'') = %s + order by name""".format(ctype=frappe.db.escape(ctype), parent_field=frappe.db.escape(parent_field)), + parent, as_dict=1) @frappe.whitelist() def add_node(): diff --git a/erpnext/setup/doctype/sms_settings/sms_settings.py b/erpnext/setup/doctype/sms_settings/sms_settings.py index 909986347f3..d0df33a86ea 100644 --- a/erpnext/setup/doctype/sms_settings/sms_settings.py +++ b/erpnext/setup/doctype/sms_settings/sms_settings.py @@ -42,7 +42,7 @@ def get_sender_name(): def get_contact_number(contact_name, value, key): "returns mobile number of the contact" number = frappe.db.sql("""select mobile_no, phone from tabContact where name=%s and %s=%s""" % - ('%s', key, '%s'), (contact_name, value)) + ('%s', frappe.db.escape(key), '%s'), (contact_name, value)) return number and (number[0][0] or number[0][1]) or '' @frappe.whitelist() @@ -94,7 +94,7 @@ def send_request(gateway_url, args): headers = {} headers['Accept'] = "text/plain, text/html, */*" conn.request('GET', api_url + urllib.urlencode(args), headers = headers) # send request - resp = conn.getresponse() # get response + resp = conn.getresponse() # get response return resp.status # Split gateway url to server and api url diff --git a/erpnext/utilities/doctype/address/address.py b/erpnext/utilities/doctype/address/address.py index 8ae7c4da6f7..a4828914c3b 100644 --- a/erpnext/utilities/doctype/address/address.py +++ b/erpnext/utilities/doctype/address/address.py @@ -35,7 +35,7 @@ class Address(Document): for fieldname in self.link_fields: if self.get(fieldname): if not frappe.db.sql("""select name from `tabAddress` where is_primary_address=1 - and `%s`=%s and name!=%s""" % (fieldname, "%s", "%s"), + and `%s`=%s and name!=%s""" % (frappe.db.escape(fieldname), "%s", "%s"), (self.get(fieldname), self.name)): self.is_primary_address = 1 break