fix security bug w/ query using 'NOT X eid 123'
authorSylvain Thenault <sylvain.thenault@logilab.fr>
Mon, 05 Jan 2009 14:09:18 +0100
changeset 321 247947250382
parent 320 e2647e72afe7
child 322 0d9aca19b3d0
fix security bug w/ query using 'NOT X eid 123'
server/querier.py
server/test/unittest_security.py
--- a/server/querier.py	Mon Jan 05 14:08:40 2009 +0100
+++ b/server/querier.py	Mon Jan 05 14:09:18 2009 +0100
@@ -44,8 +44,8 @@
     for rel in restriction.iget_nodes(Relation):
         cmp = rel.children[1]
         if rel.r_type == 'eid' and cmp.operator == '=' and \
-                isinstance(cmp.children[0], Constant) and \
-                cmp.children[0].type == 'Substitute':
+               isinstance(cmp.children[0], Constant) and \
+               cmp.children[0].type == 'Substitute':
             varkwargs[rel.children[0].name] = typed_eid(cmp.children[0].eval(args))
     return varkwargs
 
--- a/server/test/unittest_security.py	Mon Jan 05 14:08:40 2009 +0100
+++ b/server/test/unittest_security.py	Mon Jan 05 14:09:18 2009 +0100
@@ -235,7 +235,7 @@
         self.assertRaises(Unauthorized,
                           cu.execute, 'Personne U where U nom "managers"')
 
-    def test_read_erqlexpr(self):
+    def test_read_erqlexpr_base(self):
         eid = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
         self.commit()
         cnx = self.login('iaminusersgrouponly')
@@ -243,7 +243,7 @@
         rset = cu.execute('Affaire X')
         self.assertEquals(rset.rows, [])
         self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid}, 'x')
-        #  cache test
+        # cache test
         self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid}, 'x')
         aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
         soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
@@ -251,6 +251,11 @@
         cnx.commit()
         rset = cu.execute('Any X WHERE X eid %(x)s', {'x': aff2}, 'x')
         self.assertEquals(rset.rows, [[aff2]])
+        # more cache test w/ NOT eid
+        rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid}, 'x')
+        self.assertEquals(rset.rows, [])
+        rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2}, 'x')
+        self.assertEquals(rset.rows, [])
         
     def test_read_erqlexpr_has_text1(self):
         aff1 = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
@@ -300,7 +305,6 @@
         cu = cnx.cursor()
         rset = cu.execute('Any COUNT(X) WHERE X is Affaire')
         self.assertEquals(rset.rows, [[0]])        
-        cu = cnx.cursor()
         aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
         soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
         cu.execute("SET A concerne S WHERE A is Affaire, S is Societe")