Tryton - Issues

 

Issue4228

Title Creating sequence on fiscalyear: ValueError: Double underscores not allowed
Priority bug Status resolved
Superseder CVE-2014-6633: safe_eval is, in fact, not safe
View: 4155
Nosy List ajacoutot, bch, ced, duesenfranz, nicoe, roba, roundup-bot, sharkcz, yangoon
Type crash Components trytond
Assigned To ced Keywords review
Reviews 5681002
View: 5681002

Created on 2014-10-02.22:40:47 by yangoon, last changed by roundup-bot.

Messages
New changeset b0469bec074a by C?dric Krier in branch '3.2':
Avoid double evaluation from inherit with different model
http://hg.tryton.org/trytond/rev/b0469bec074a

New changeset 08125c149a3e by C?dric Krier in branch '3.0':
Avoid double evaluation from inherit with different model
http://hg.tryton.org/trytond/rev/08125c149a3e

New changeset f43757ec69d9 by C?dric Krier in branch '2.8':
Avoid double evaluation from inherit with different model
http://hg.tryton.org/trytond/rev/f43757ec69d9

New changeset ec71bb868ef3 by C?dric Krier in branch '2.6':
Avoid double evaluation from inherit with different model
http://hg.tryton.org/trytond/rev/ec71bb868ef3

New changeset b890cc2f66e4 by C?dric Krier in branch '2.4':
Avoid double evaluation from inherit with different model
http://hg.tryton.org/trytond/rev/b890cc2f66e4
msg18420 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2014-10-03.11:23:52
For me, it doesn't deserve it because only sequence.strict are affected which are only used for invoice sequence. Normal usage will require to create such sequence once per year (generally 1 january). So the bug could be managed as any other bugs with the "monthly" bugfix releases.
msg18419 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2014-10-03.11:17:43
Adding ajacoutot,bch,duesenfranz,nicoe,sharkcz from issue4155 to nosy.

@ced: Thx for the fix. I think we should have another quick bug fix release for this issue. Is this ok for you?
msg18418 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2014-10-03.00:29:22
Here is a review5681002 for the quick fix.
msg18417 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2014-10-03.00:24:49
This is because of the double call to fields_view_get due to the inherit of a view from an other model.
I think we should drop this feature as we don't have anymore "inherits" for which this was implemented.
Meanwhile as every series is affected, I think we could avoid the second call to safe_eval if the attributue contains "__" as it will in any case fail and it also means that it was already encoded.
msg18416 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2014-10-02.22:42:37
Also confirmed when trying to create a strict sequence from Administration
msg18415 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2014-10-02.22:40:46
- All modules installation
- create a fiscalyear
- on Tab Sequences in the field of the first sequence (Post Move Sequence) hit F3 and create first sequence
- go to second field (Customer Invoice Sequence) and hit F3

->

Traceback (most recent call last):
  File "/trytond/protocols/jsonrpc.py", line 150, in _marshaled_dispatch
    response['result'] = dispatch_method(method, params)
  File "/trytond/protocols/jsonrpc.py", line 179, in _dispatch
    res = dispatch(*args)
  File "/trytond/protocols/dispatcher.py", line 160, in dispatch
    result = rpc.result(meth(*c_args, **c_kwargs))
  File "/trytond/model/modelview.py", line 239, in fields_view_get
    result['field_childs'])
  File "/trytond/model/modelview.py", line 331, in _view_look_dom_arch
    fields_width=fields_width)
  File "/trytond/model/modelview.py", line 471, in __view_look_dom
    fields_width=fields_width, fields_attrs=fields_attrs)
  File "/trytond/model/modelview.py", line 431, in __view_look_dom
    CONTEXT)))
  File "/trytond/tools/misc.py", line 373, in safe_eval
    raise ValueError('Double underscores not allowed')
ValueError: Double underscores not allowed
History
Date User Action Args
2014-12-02 09:59:37cedlinkissue4382 superseder
2014-10-27 23:31:17roundup-botsetstatus: done-cbb -> resolved
nosy: + roundup-bot
messages: + msg18704
2014-10-06 22:26:40cedsetstatus: testing -> done-cbb
2014-10-03 11:23:53cedsetmessages: + msg18420
2014-10-03 11:17:44yangoonsetnosy: + bch, nicoe, sharkcz, ajacoutot, duesenfranz
superseder: + CVE-2014-6633: safe_eval is, in fact, not safe
messages: + msg18419
2014-10-03 09:28:31robasetnosy: + roba
2014-10-03 00:29:24cedsetstatus: chatting -> testing
keyword: + review
messages: + msg18418
component: + trytond
reviews: 5681002
assignedto: ced
2014-10-03 00:24:50cedsetnosy: + ced
messages: + msg18417
2014-10-02 22:42:37yangoonsetstatus: unread -> chatting
messages: + msg18416
2014-10-02 22:40:47yangooncreate

Showing 10 items. Show all history (warning: this could be VERY long)