Merge pull request #8015 from adityahase/revert-develop

fix: Revert recent security fixes
2019-07-26 15:42:46 +00:00 · 2019-07-26 15:42:46 +00:00 · bdc0b7948d
commit bdc0b7948d
parent ae76b7cec1 30845b26fa
2 changed files with 1 additions and 7 deletions
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@ -240,9 +240,6 @@ class DatabaseQuery(object):

 			_is_query(field)

-			invalid_characters_regex = r".*[^a-zA-Z0-9-_ ,`'\"\*\.\(\)].*"
-			if re.match(invalid_characters_regex, field):
-				frappe.throw(_("Illegal characters in SQL query"))

 	def extract_tables(self):
 		"""extract tables from fields"""
@ -691,9 +688,6 @@ class DatabaseQuery(object):
 		if 'select' in _lower and ' from ' in _lower:
 			frappe.throw(_('Cannot use sub-query in order by'))

-		invalid_characters_regex = r".*[^a-z0-9-_ ,`'\"\.\(\)].*"
-		if re.match(invalid_characters_regex, _lower):
-			frappe.throw(_("Illegal characters in SQL query"))

 		for field in parameters.split(","):
 			if "." in field and field.strip().startswith("`tab"):
--- a/frappe/utils/jinja.py
+++ b/frappe/utils/jinja.py
@ -71,7 +71,7 @@ def render_template(template, context, is_path=None, safe_render=True):
 		or (template.endswith('.html') and '\n' not in template)):
 		return get_jenv().get_template(template).render(context)
 	else:
-		if safe_render and "__" in template:
+		if safe_render and ".__" in template:
 			throw("Illegal template")
 		try:
 			return get_jenv().from_string(template).render(context)