From 0aee7afb876d2d79ed04154536ff1da58e6cf5fc Mon Sep 17 00:00:00 2001 From: Suraj Shetty Date: Fri, 2 Nov 2018 12:19:25 +0530 Subject: [PATCH 1/5] Fix permission error while import (#6385) Custom permission should apply while import or else import of doctype with custom roles fails --- frappe/model/meta.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/model/meta.py b/frappe/model/meta.py index 6b9654c1f4..b502c5665f 100644 --- a/frappe/model/meta.py +++ b/frappe/model/meta.py @@ -320,7 +320,7 @@ class Meta(Document): def set_custom_permissions(self): '''Reset `permissions` with Custom DocPerm if exists''' - if frappe.flags.in_patch or frappe.flags.in_import or frappe.flags.in_install: + if frappe.flags.in_patch or frappe.flags.in_install: return if not self.istable and self.name not in ('DocType', 'DocField', 'DocPerm', From 731d12238eec11209c2d82f8497ecd9631c366f9 Mon Sep 17 00:00:00 2001 From: Rohit Waghchaure Date: Fri, 2 Nov 2018 15:18:47 +0530 Subject: [PATCH 2/5] Bredcrumb issue in the file --- frappe/core/doctype/file/file.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/frappe/core/doctype/file/file.py b/frappe/core/doctype/file/file.py index d5e76fca01..86530e166d 100755 --- a/frappe/core/doctype/file/file.py +++ b/frappe/core/doctype/file/file.py @@ -38,9 +38,10 @@ class File(NestedSet): self.set_folder_name() def get_name_based_on_parent_folder(self): - path = get_breadcrumbs(self.folder) - folder_name = frappe.get_value("File", self.folder, "file_name") - return "/".join([d.file_name for d in path] + [folder_name, self.file_name]) + if self.folder: + path = get_breadcrumbs(self.folder) + folder_name = frappe.get_value("File", self.folder, "file_name") + return "/".join([d.file_name for d in path] + [folder_name, self.file_name]) def autoname(self): """Set name for folder""" From 15d3f4660ebf91e54aff15cbf7611ab0e603ebc0 Mon Sep 17 00:00:00 2001 From: Suraj Shetty Date: Mon, 5 Nov 2018 10:07:16 +0530 Subject: [PATCH 3/5] fix(security): pop ignore_permissions arg from whitelisted method --- frappe/model/db_query.py | 1 + 1 file changed, 1 insertion(+) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index 1d241db443..f2da6e0b31 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -619,6 +619,7 @@ def get_order_by(doctype, meta): def get_list(doctype, *args, **kwargs): '''wrapper for DatabaseQuery''' kwargs.pop('cmd', None) + kwargs.pop('ignore_permissions', None) return DatabaseQuery(doctype).execute(None, *args, **kwargs) def is_parent_only_filter(doctype, filters): From 856a721073122a8e487a13ba50b97a8b90916e12 Mon Sep 17 00:00:00 2001 From: Saurabh Date: Mon, 5 Nov 2018 10:51:57 +0530 Subject: [PATCH 4/5] [fix] sql injection fix (#6390) --- frappe/model/db_query.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index f2da6e0b31..d561517558 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -192,8 +192,7 @@ class DatabaseQuery(object): ''' sub_query_regex = re.compile("^.*[,();].*") - blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case', - 'from', 'group', 'order', 'by'] + blacklisted_keywords = ['select', 'create', 'insert', 'delete', 'drop', 'update', 'case'] blacklisted_functions = ['concat', 'concat_ws', 'if', 'ifnull', 'nullif', 'coalesce', 'connection_id', 'current_user', 'database', 'last_insert_id', 'session_user', 'system_user', 'user', 'version'] From 54baae96f95971e97fa11a2f61a1523a2fd4c027 Mon Sep 17 00:00:00 2001 From: Ameya Shenoy Date: Mon, 5 Nov 2018 06:37:45 +0000 Subject: [PATCH 5/5] bumped to version 10.1.59 --- frappe/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/__init__.py b/frappe/__init__.py index 181f236692..2c6cf49f86 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -14,7 +14,7 @@ import os, sys, importlib, inspect, json from .exceptions import * from .utils.jinja import get_jenv, get_template, render_template, get_email_from_template -__version__ = '10.1.58' +__version__ = '10.1.59' __title__ = "Frappe Framework" local = Local()