From 103e89406412bd8ce8ad4d433817ce08e8c490f7 Mon Sep 17 00:00:00 2001
From: Shivam Mishra <scm.mymail@gmail.com>
Date: Thu, 25 Jul 2019 11:37:31 +0530
Subject: [PATCH 1/2] fix: more button visibility bug

---
 .../js/frappe/form/multi_select_dialog.js       | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/frappe/public/js/frappe/form/multi_select_dialog.js b/frappe/public/js/frappe/form/multi_select_dialog.js
index 0d8d2caca1..e5d4d91d32 100644
--- a/frappe/public/js/frappe/form/multi_select_dialog.js
+++ b/frappe/public/js/frappe/form/multi_select_dialog.js
@@ -201,11 +201,12 @@ frappe.ui.form.MultiSelectDialog = Class.extend({
 
 		let $row = $(`<div class="list-item">
 			<div class="list-item__content" style="flex: 0 0 10px;">
-				<input type="checkbox" class="list-row-check" ${result.checked ? 'checked' : ''}>
+				<input type="checkbox" class="list-row-check" data-item-name="${result.name}" ${result.checked ? 'checked' : ''}>
 			</div>
 			${contents}
 		</div>`);
 
+
 		head ? $row.addClass('list-item--head')
 			: $row = $(`<div class="list-item-container" data-item-name="${result.name}"></div>`).append($row);
 		return $row;
@@ -219,14 +220,10 @@ frappe.ui.form.MultiSelectDialog = Class.extend({
 		if (!frappe.flags.auto_scroll) {
 			this.empty_list();
 		}
+		more_btn.hide();
 
-		if(results.length === 0) {
-			this.empty_list();
-			more_btn.hide();
-			return;
-		} else if(more) {
-			more_btn.show();
-		}
+		if (results.length === 0) return;
+		if (more) more_btn.show();
 
 		results.forEach((result) => {
 			me.$results.append(me.make_list_row(result));
@@ -303,10 +300,6 @@ frappe.ui.form.MultiSelectDialog = Class.extend({
 						return a.parsed_date - b.parsed_date;
 					});
 
-					// Preselect oldest entry
-					if (me.start < 1) {
-						results[0].checked = 1;
-					}
 				}
 				me.render_result_list(results, more);
 			}

From fb8993663c2e587d78667937ad356d17610a2214 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Thu, 25 Jul 2019 20:49:00 +0530
Subject: [PATCH 2/2] fix(security): Disallow unnecessary characters in
 group_by and fields

---
 frappe/model/db_query.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 53a1c6c13d..7767d2a021 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -240,6 +240,9 @@ class DatabaseQuery(object):
 
 			_is_query(field)
 
+			invalid_characters_regex = r".*[^a-zA-Z0-9-_ ,`'\"\*\.\(\)].*"
+			if re.match(invalid_characters_regex, field):
+				frappe.throw(_("Illegal characters in SQL query"))
 
 	def extract_tables(self):
 		"""extract tables from fields"""
@@ -688,6 +691,9 @@ class DatabaseQuery(object):
 		if 'select' in _lower and ' from ' in _lower:
 			frappe.throw(_('Cannot use sub-query in order by'))
 
+		invalid_characters_regex = r".*[^a-z0-9-_ ,`'\"\.\(\)].*"
+		if re.match(invalid_characters_regex, _lower):
+			frappe.throw(_("Illegal characters in SQL query"))
 
 		for field in parameters.split(","):
 			if "." in field and field.strip().startswith("`tab"):