From 684bb80f8e87d7774a8a41dfc49185bd56bba2fe Mon Sep 17 00:00:00 2001 From: shreyas Date: Mon, 28 Nov 2016 17:15:41 +0530 Subject: [PATCH 1/4] [Minor] convert date type to string when field is set as 'set_only_once' or constant --- frappe/model/base_document.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/frappe/model/base_document.py b/frappe/model/base_document.py index 90ae393f94..6db4ca70d9 100644 --- a/frappe/model/base_document.py +++ b/frappe/model/base_document.py @@ -504,7 +504,16 @@ class BaseDocument(object): values = frappe.db.get_value(self.doctype, self.name, constants, as_dict=True) for fieldname in constants: - if self.get(fieldname) != values.get(fieldname): + df = self.meta.get_field(fieldname) + + # This conversion to string only when fieldtype is Date + if df.fieldtype == 'Date': + value = str(values.get(fieldname)) + + else: + value = values.get(fieldname) + + if self.get(fieldname) != value: frappe.throw(_("Value cannot be changed for {0}").format(self.meta.get_label(fieldname)), frappe.CannotChangeConstantError) From 61a3f3eda0ed55e523b43e2f19d02a52bfa4f243 Mon Sep 17 00:00:00 2001 From: Mohammed Date: Tue, 29 Nov 2016 18:05:52 +0200 Subject: [PATCH 2/4] Delete rows that do not match the ones in the document without causing db deadlock --- frappe/model/document.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/frappe/model/document.py b/frappe/model/document.py index b582b7f3ae..72050cad5c 100644 --- a/frappe/model/document.py +++ b/frappe/model/document.py @@ -301,12 +301,16 @@ class Document(BaseDocument): return if rows: - # delete rows that do not match the ones in the - # document - frappe.db.sql("""delete from `tab{0}` where parent=%s + # select rows that do not match the ones in the document + deleted_rows = frappe.db.sql("""select name from `tab{0}` where parent=%s and parenttype=%s and parentfield=%s and name not in ({1})""".format(df.options, ','.join(['%s'] * len(rows))), [self.name, self.doctype, fieldname] + rows) + if len(deleted_rows) > 0: + # delete rows that do not match the ones in the document + frappe.db.sql("""delete from `tab{0}` where name in ({1})""".format(df.options, + ','.join(['%s'] * len(deleted_rows))), tuple(row[0] for row in deleted_rows)) + else: # no rows found, delete all rows frappe.db.sql("""delete from `tab{0}` where parent=%s From e9ca5ea9a61e4d5144f6db66f01557026aa57f40 Mon Sep 17 00:00:00 2001 From: exabakr Date: Wed, 30 Nov 2016 04:04:24 +0300 Subject: [PATCH 3/4] [URGENT] Prevent accessing sensitive files in client.get_js Logged in user (any permissions) can access sensitive files by calling frappe.client.get_js Consider the following scenario: 1- Login to system 2- http://HOST/?items=["currentsite.txt"]&cmd=frappe.client.get_js (this will give you site directory name) 3- http://HOST/?items=["SITE_DIR_NAME%2Fsite_config.json"]&cmd=frappe.client.get_js (this will show you site config including database name and password and any other sensitive data The suggested fix prevent accessing any file outside the assets folder. (or atleast you should prevent access to .py files and private folder which includes backup and sensetive files and logs folders) There should be a hot fix asap --- frappe/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/client.py b/frappe/client.py index 52799e4f85..fdcad2a74c 100644 --- a/frappe/client.py +++ b/frappe/client.py @@ -203,7 +203,7 @@ def get_js(items): for src in items: src = src.strip("/").split("/") - if ".." in src: + if ".." in src or src[0] != "assets": frappe.throw(_("Invalid file path: {0}").format("/".join(src))) contentpath = os.path.join(frappe.local.sites_path, *src) From 63f803e7b9a31779f16d1fd7129d48a1d7cd95cf Mon Sep 17 00:00:00 2001 From: Nabin Hait Date: Wed, 30 Nov 2016 12:43:56 +0600 Subject: [PATCH 4/4] bumped to version 7.1.21 --- frappe/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/__init__.py b/frappe/__init__.py index cf3f2583c8..e04a96d61e 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -13,7 +13,7 @@ import os, sys, importlib, inspect, json from .exceptions import * from .utils.jinja import get_jenv, get_template, render_template -__version__ = '7.1.20' +__version__ = '7.1.21' __title__ = "Frappe Framework" local = Local()