[fix] injection
diff --git a/erpnext/accounts/doctype/journal_entry/journal_entry.py b/erpnext/accounts/doctype/journal_entry/journal_entry.py
index c5035ad..1a90aab 100644
--- a/erpnext/accounts/doctype/journal_entry/journal_entry.py
+++ b/erpnext/accounts/doctype/journal_entry/journal_entry.py
@@ -2,7 +2,7 @@
# License: GNU General Public License v3. See license.txt
from __future__ import unicode_literals
-import frappe
+import frappe, json
from frappe.utils import cstr, flt, fmt_money, formatdate
from frappe import msgprint, _, scrub
from erpnext.controllers.accounts_controller import AccountsController
@@ -283,7 +283,7 @@
frappe.throw(_("Please check Multi Currency option to allow accounts with other currency"))
self.set_exchange_rate()
-
+
def set_amounts_in_company_currency(self):
for d in self.get("accounts"):
d.debit = flt(flt(d.debit_in_account_currency)*flt(d.exchange_rate), d.precision("debit"))
@@ -520,14 +520,14 @@
"account_currency": account_details.account_currency,
"account_type": account_details.account_type
}
-
+
@frappe.whitelist()
def get_payment_entry_against_order(dt, dn):
ref_doc = frappe.get_doc(dt, dn)
-
+
if flt(ref_doc.per_billed, 2) > 0:
frappe.throw(_("Can only make payment against unbilled {0}").format(dt))
-
+
if dt == "Sales Order":
party_type = "Customer"
amount_field_party = "credit_in_account_currency"
@@ -536,15 +536,15 @@
party_type = "Supplier"
amount_field_party = "debit_in_account_currency"
amount_field_bank = "credit_in_account_currency"
-
+
party_account = get_party_account(party_type, ref_doc.get(party_type.lower()), ref_doc.company)
party_account_currency = get_account_currency(party_account)
-
+
if party_account_currency == ref_doc.company_currency:
amount = flt(ref_doc.base_grand_total) - flt(ref_doc.advance_paid)
else:
amount = flt(ref_doc.grand_total) - flt(ref_doc.advance_paid)
-
+
return get_payment_entry(ref_doc, {
"party_type": party_type,
"party_account": party_account,
@@ -555,7 +555,7 @@
"remarks": 'Advance Payment received against {0} {1}'.format(dt, dn),
"is_advance": "Yes"
})
-
+
@frappe.whitelist()
def get_payment_entry_against_invoice(dt, dn):
ref_doc = frappe.get_doc(dt, dn)
@@ -569,7 +569,7 @@
party_account = ref_doc.credit_to
amount_field_party = "debit_in_account_currency"
amount_field_bank = "credit_in_account_currency"
-
+
return get_payment_entry(ref_doc, {
"party_type": party_type,
"party_account": party_account,
@@ -580,10 +580,10 @@
"remarks": 'Payment received against {0} {1}. {2}'.format(dt, dn, ref_doc.remarks),
"is_advance": "No"
})
-
+
def get_payment_entry(ref_doc, args):
cost_center = frappe.db.get_value("Company", ref_doc.company, "cost_center")
- exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"),
+ exchange_rate = get_exchange_rate(args.get("party_account"), args.get("party_account_currency"),
ref_doc.company, ref_doc.doctype, ref_doc.name)
jv = frappe.new_doc("Journal Entry")
@@ -592,7 +592,7 @@
"company": ref_doc.company,
"remark": args.get("remarks")
})
-
+
party_row = jv.append("accounts", {
"account": args.get("party_account"),
"party_type": args.get("party_type"),
@@ -614,11 +614,11 @@
bank_account = get_default_bank_cash_account(ref_doc.company, "Bank Entry")
if bank_account:
bank_row.update(bank_account)
- bank_row.exchange_rate = get_exchange_rate(bank_account["account"],
+ bank_row.exchange_rate = get_exchange_rate(bank_account["account"],
bank_account["account_currency"], ref_doc.company)
-
+
bank_row.cost_center = cost_center
-
+
if bank_row.account_currency == args.get("party_account_currency"):
bank_row.set(args.get("amount_field_bank"), args.get("amount"))
else:
@@ -630,7 +630,7 @@
jv.multi_currency = 1
jv.set_amounts_in_company_currency()
-
+
return jv.as_dict()
@frappe.whitelist()
@@ -647,14 +647,17 @@
from `tabJournal Entry` jv, `tabJournal Entry Account` jv_detail
where jv_detail.parent = jv.name and jv_detail.account = %s and ifnull(jv_detail.party, '') = %s
and ifnull(jv_detail.reference_type, '') = ''
- and jv.docstatus = 1 and jv.{0} like %s order by jv.name desc limit %s, %s""".format(searchfield),
+ and jv.docstatus = 1 and jv.`{0}` like %s order by jv.name desc limit %s, %s""".format(frappe.db.escape(searchfield)),
(filters.get("account"), cstr(filters.get("party")), "%{0}%".format(txt), start, page_len))
@frappe.whitelist()
def get_outstanding(args):
if not frappe.has_permission("Account"):
frappe.msgprint(_("No Permission"), raise_exception=1)
- args = eval(args)
+
+ if isinstance(args, basestring):
+ args = json.loads(args)
+
company_currency = get_company_currency(args.get("company"))
if args.get("doctype") == "Journal Entry":
diff --git a/erpnext/accounts/doctype/payment_tool/payment_tool.py b/erpnext/accounts/doctype/payment_tool/payment_tool.py
index b4e5f89..aa7b127 100644
--- a/erpnext/accounts/doctype/payment_tool/payment_tool.py
+++ b/erpnext/accounts/doctype/payment_tool/payment_tool.py
@@ -125,6 +125,6 @@
select_cond = "{0} as total_amount".format(ref_field)
details = frappe.db.sql("""select {0} from `tab{1}` where name = %s"""
- .format(select_cond, against_voucher_type), against_voucher_no, as_dict=1)
+ .format(select_cond, frappe.db.escape(against_voucher_type)), against_voucher_no, as_dict=1)
return details[0] if details else {}
diff --git a/erpnext/accounts/doctype/pricing_rule/pricing_rule.py b/erpnext/accounts/doctype/pricing_rule/pricing_rule.py
index 5209e8e..5c65e1f 100644
--- a/erpnext/accounts/doctype/pricing_rule/pricing_rule.py
+++ b/erpnext/accounts/doctype/pricing_rule/pricing_rule.py
@@ -179,7 +179,7 @@
if parent_groups:
if allow_blank: parent_groups.append('')
condition = " ifnull("+field+", '') in ('" + \
- "', '".join([d.replace("'", "\\'").replace('"', '\\"').replace("%", "%%") for d in parent_groups])+"')"
+ "', '".join([frappe.db.escape(d) for d in parent_groups])+"')"
return condition
diff --git a/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py b/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
index 91b01d5..c8f96d3 100644
--- a/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
+++ b/erpnext/accounts/doctype/purchase_invoice/purchase_invoice.py
@@ -106,7 +106,7 @@
def check_for_stopped_or_closed_status(self):
check_list = []
pc_obj = frappe.get_doc('Purchase Common')
-
+
for d in self.get('items'):
if d.purchase_order and not d.purchase_order in check_list and not d.purchase_receipt:
check_list.append(d.purchase_order)
@@ -395,7 +395,7 @@
def on_cancel(self):
self.check_for_stopped_or_closed_status()
-
+
if not self.is_return:
from erpnext.accounts.utils import remove_against_link_from_jv
remove_against_link_from_jv(self.doctype, self.name)
@@ -438,10 +438,10 @@
or tabAccount.account_type in ("Expense Account", "Fixed Asset", "Temporary"))
and tabAccount.is_group=0
and tabAccount.docstatus!=2
- and tabAccount.company = '%(company)s'
- and tabAccount.%(key)s LIKE '%(txt)s'
- %(mcond)s""" % {'company': filters['company'], 'key': searchfield,
- 'txt': "%%%s%%" % frappe.db.escape(txt), 'mcond':get_match_cond(doctype)})
+ and tabAccount.company = %(company)s
+ and tabAccount.{key} LIKE %(txt)s
+ {mcond}""".format( key=frappe.db.escape(searchfield), mcond=get_match_cond(doctype) ),
+ { 'company': filters['company'], 'txt': "%%%s%%" % frappe.db.escape(txt) })
@frappe.whitelist()
def make_debit_note(source_name, target_doc=None):
diff --git a/erpnext/accounts/page/accounts_browser/accounts_browser.py b/erpnext/accounts/page/accounts_browser/accounts_browser.py
index 80101ce..210c4bf 100644
--- a/erpnext/accounts/page/accounts_browser/accounts_browser.py
+++ b/erpnext/accounts/page/accounts_browser/accounts_browser.py
@@ -25,9 +25,9 @@
acc = frappe.db.sql(""" select
name as value, is_group as expandable %s
from `tab%s`
- where ifnull(parent_%s,'') = ''
+ where ifnull(`parent_%s`,'') = ''
and `company` = %s and docstatus<2
- order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+ order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
company, as_dict=1)
if args["parent"]=="Accounts":
@@ -38,9 +38,9 @@
acc = frappe.db.sql("""select
name as value, is_group as expandable %s
from `tab%s`
- where ifnull(parent_%s,'') = %s
+ where ifnull(`parent_%s`,'') = %s
and docstatus<2
- order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+ order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
args['parent'], as_dict=1)
if ctype == 'Account':
diff --git a/erpnext/accounts/utils.py b/erpnext/accounts/utils.py
index 5d0403e..c2ada13 100644
--- a/erpnext/accounts/utils.py
+++ b/erpnext/accounts/utils.py
@@ -65,7 +65,7 @@
cond = []
if date:
- cond.append("posting_date <= '%s'" % date)
+ cond.append("posting_date <= '%s'" % frappe.db.escape(date))
else:
# get balance of all entries that exist
date = nowdate()
@@ -105,11 +105,11 @@
if acc.account_currency == frappe.db.get_value("Company", acc.company, "default_currency"):
in_account_currency = False
else:
- cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
+ cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), ))
if party_type and party:
cond.append("""gle.party_type = "%s" and gle.party = "%s" """ %
- (party_type.replace('"', '\\"'), party.replace('"', '\\"')))
+ (frappe.db.escape(party_type), frappe.db.escape(party)))
if account or (party_type and party):
if in_account_currency:
diff --git a/erpnext/projects/utils.py b/erpnext/projects/utils.py
index fdd0b52..1f6e2b3 100644
--- a/erpnext/projects/utils.py
+++ b/erpnext/projects/utils.py
@@ -13,12 +13,12 @@
@frappe.whitelist()
def query_task(doctype, txt, searchfield, start, page_len, filters):
from frappe.desk.reportview import build_match_conditions
-
+
search_string = "%%%s%%" % txt
order_by_string = "%s%%" % txt
match_conditions = build_match_conditions("Task")
match_conditions = ("and" + match_conditions) if match_conditions else ""
-
+
return frappe.db.sql("""select name, subject from `tabTask`
where (`%s` like %s or `subject` like %s) %s
order by
@@ -26,7 +26,7 @@
case when `%s` like %s then 0 else 1 end,
`%s`,
subject
- limit %s, %s""" %
- (searchfield, "%s", "%s", match_conditions, "%s",
- searchfield, "%s", searchfield, "%s", "%s"),
- (search_string, search_string, order_by_string, order_by_string, start, page_len))
\ No newline at end of file
+ limit %s, %s""" %
+ (frappe.db.escape(searchfield), "%s", "%s", match_conditions, "%s",
+ frappe.db.escape(searchfield), "%s", frappe.db.escape(searchfield), "%s", "%s"),
+ (search_string, search_string, order_by_string, order_by_string, start, page_len))
diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py
index 2f4884b..5ceeea8 100644
--- a/erpnext/selling/doctype/sales_order/sales_order.py
+++ b/erpnext/selling/doctype/sales_order/sales_order.py
@@ -607,7 +607,7 @@
name, supplier_name
limit %(start)s, %(page_len)s """.format(**{
'field': fields,
- 'key': searchfield
+ 'key': frappe.db.escape(searchfield)
}), {
'txt': "%%%s%%" % txt,
'_txt': txt.replace("%", ""),
diff --git a/erpnext/selling/page/sales_browser/sales_browser.py b/erpnext/selling/page/sales_browser/sales_browser.py
index cfb283e..018ba3b 100644
--- a/erpnext/selling/page/sales_browser/sales_browser.py
+++ b/erpnext/selling/page/sales_browser/sales_browser.py
@@ -8,16 +8,16 @@
@frappe.whitelist()
def get_children():
ctype = frappe.local.form_dict.get('ctype')
- frappe.local.form_dict['parent_field'] = 'parent_' + ctype.lower().replace(' ', '_')
- if not frappe.form_dict.get('parent'):
- frappe.local.form_dict['parent'] = ''
+ parent_field = 'parent_' + ctype.lower().replace(' ', '_')
+ parent = frappe.form_dict.get("parent") or ""
return frappe.db.sql("""select name as value,
if(is_group='Yes', 1, 0) as expandable
- from `tab%(ctype)s`
+ from `tab{ctype}`
where docstatus < 2
- and ifnull(%(parent_field)s,'') = "%(parent)s"
- order by name""" % frappe.local.form_dict, as_dict=1)
+ and ifnull(`{parent_field}`,'') = %s
+ order by name""".format(ctype=frappe.db.escape(ctype), parent_field=frappe.db.escape(parent_field)),
+ parent, as_dict=1)
@frappe.whitelist()
def add_node():
diff --git a/erpnext/setup/doctype/sms_settings/sms_settings.py b/erpnext/setup/doctype/sms_settings/sms_settings.py
index 9099863..d0df33a 100644
--- a/erpnext/setup/doctype/sms_settings/sms_settings.py
+++ b/erpnext/setup/doctype/sms_settings/sms_settings.py
@@ -42,7 +42,7 @@
def get_contact_number(contact_name, value, key):
"returns mobile number of the contact"
number = frappe.db.sql("""select mobile_no, phone from tabContact where name=%s and %s=%s""" %
- ('%s', key, '%s'), (contact_name, value))
+ ('%s', frappe.db.escape(key), '%s'), (contact_name, value))
return number and (number[0][0] or number[0][1]) or ''
@frappe.whitelist()
@@ -94,7 +94,7 @@
headers = {}
headers['Accept'] = "text/plain, text/html, */*"
conn.request('GET', api_url + urllib.urlencode(args), headers = headers) # send request
- resp = conn.getresponse() # get response
+ resp = conn.getresponse() # get response
return resp.status
# Split gateway url to server and api url
diff --git a/erpnext/utilities/doctype/address/address.py b/erpnext/utilities/doctype/address/address.py
index 8ae7c4d..a482891 100644
--- a/erpnext/utilities/doctype/address/address.py
+++ b/erpnext/utilities/doctype/address/address.py
@@ -35,7 +35,7 @@
for fieldname in self.link_fields:
if self.get(fieldname):
if not frappe.db.sql("""select name from `tabAddress` where is_primary_address=1
- and `%s`=%s and name!=%s""" % (fieldname, "%s", "%s"),
+ and `%s`=%s and name!=%s""" % (frappe.db.escape(fieldname), "%s", "%s"),
(self.get(fieldname), self.name)):
self.is_primary_address = 1
break