vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Revert "fix(security): Disallow unnecessary characters in group_by and fields"

Browse source 
This reverts commit fb8993663c.
This commit is contained in:
Aditya Hase 2019-07-26 20:49:46 +05:30
parent eec9ee86e3
commit ce60f98ab6
1 changed files with 0 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
frappe/model/db_query.py
View file

@ -240,9 +240,6 @@ class DatabaseQuery(object):
_is_query(field)
invalid_characters_regex = r".*[^a-zA-Z0-9-_ ,`'\"\*\.\(\)].*"
if re.match(invalid_characters_regex, field):
frappe.throw(_("Illegal characters in SQL query"))
def extract_tables(self):
"""extract tables from fields"""
@ -691,9 +688,6 @@ class DatabaseQuery(object):
if 'select' in _lower and ' from ' in _lower:
frappe.throw(_('Cannot use sub-query in order by'))
invalid_characters_regex = r".*[^a-z0-9-_ ,`'\"\.\(\)].*"
if re.match(invalid_characters_regex, _lower):
frappe.throw(_("Illegal characters in SQL query"))
for field in parameters.split(","):
if "." in field and field.strip().startswith("`tab"):