From ce60f98ab68e72afcf2621fc3da515de9ca22fc9 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Fri, 26 Jul 2019 20:49:46 +0530
Subject: [PATCH 1/2] Revert "fix(security): Disallow unnecessary characters in
 group_by and fields"

This reverts commit fb8993663c2e587d78667937ad356d17610a2214.
---
 frappe/model/db_query.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 7767d2a021..53a1c6c13d 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -240,9 +240,6 @@ class DatabaseQuery(object):
 
 			_is_query(field)
 
-			invalid_characters_regex = r".*[^a-zA-Z0-9-_ ,`'\"\*\.\(\)].*"
-			if re.match(invalid_characters_regex, field):
-				frappe.throw(_("Illegal characters in SQL query"))
 
 	def extract_tables(self):
 		"""extract tables from fields"""
@@ -691,9 +688,6 @@ class DatabaseQuery(object):
 		if 'select' in _lower and ' from ' in _lower:
 			frappe.throw(_('Cannot use sub-query in order by'))
 
-		invalid_characters_regex = r".*[^a-z0-9-_ ,`'\"\.\(\)].*"
-		if re.match(invalid_characters_regex, _lower):
-			frappe.throw(_("Illegal characters in SQL query"))
 
 		for field in parameters.split(","):
 			if "." in field and field.strip().startswith("`tab"):

From fb896a460ee33200e21751f836afcec21fedc0c4 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Fri, 26 Jul 2019 20:49:56 +0530
Subject: [PATCH 2/2] Revert "fix(security): Make jinja rendering tighter"

This reverts commit b30199b7f5c9dc62563fc4c528432f1160de0fd3.
---
 frappe/utils/jinja.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/utils/jinja.py b/frappe/utils/jinja.py
index f8745b82c3..7a27fb3c3b 100644
--- a/frappe/utils/jinja.py
+++ b/frappe/utils/jinja.py
@@ -71,7 +71,7 @@ def render_template(template, context, is_path=None, safe_render=True):
 		or (template.endswith('.html') and '\n' not in template)):
 		return get_jenv().get_template(template).render(context)
 	else:
-		if safe_render and "__" in template:
+		if safe_render and ".__" in template:
 			throw("Illegal template")
 		try:
 			return get_jenv().from_string(template).render(context)