Merge pull request #923 from rmehta/develop

[security] [fix] stop client side queries in reportview.py

frappe/model/db_query.py

@@ -90,7 +90,10 @@ class DatabaseQuery(object):
 		if isinstance(self.filters, basestring):
 			self.filters = json.loads(self.filters)
 		if isinstance(self.fields, basestring):
-			self.fields = json.loads(self.fields)
+			if self.fields == "*":
+				self.fields = ["*"]
+			else:
+				self.fields = json.loads(self.fields)
 		if isinstance(self.filters, dict):
 			fdict = self.filters
 			self.filters = []

frappe/public/js/frappe/views/listview.js

@@ -514,31 +514,3 @@ frappe.views.ListView = Class.extend({
 		$(parent).append(repl(icon_html, {icon_class: icon_class, label: __(label) || ''}));
 	}
 });
-
-// embeddable
-frappe.provide('frappe.views.RecordListView');
-frappe.views.RecordListView = frappe.views.DocListView.extend({
-	init: function(doctype, wrapper, ListView) {
-		this.doctype = doctype;
-		this.wrapper = wrapper;
-		this.listview = new ListView(this, doctype);
-		this.listview.parent = this;
-		this.setup();
-	},
-
-	setup: function() {
-		var me = this;
-		me.page_length = 10;
-		$(me.wrapper).empty();
-		me.init_list();
-	},
-
-	get_args: function() {
-		var args = this._super();
-		$.each((this.default_filters || []), function(i, f) {
-		      args.filters.push(f);
-		});
-		args.docstatus = args.docstatus.concat((this.default_docstatus || []));
-		return args;
-	},
-});

frappe/widgets/reportview.py

@@ -20,6 +20,7 @@ def execute(doctype, query=None, filters=None, fields=None, or_filters=None, doc
 		order_by, limit_start, limit_page_length, as_list, with_childnames, debug)
 
 def get_form_params():
+	"""Stringify GET request parameters."""
 	data = frappe._dict(frappe.local.form_dict)
 
 	del data["cmd"]
@@ -31,6 +32,9 @@ def get_form_params():
 	if isinstance(data.get("docstatus"), basestring):
 		data["docstatus"] = json.loads(data["docstatus"])
 
+	# queries must always be server side
+	data.query = None
+
 	return data
 
 def compress(data):