Re: [Spacewalk-devel] erratas and the client plugin package action

Wed, 18 May 2011 05:40:15 -0700 

On 05/18/2011 01:14 PM, Jan Pazdziora wrote:

...

Nack. This is SQL-injection-prone. You have to use bind parameters
or sanitize the input properly.

Thanks, I have fixed the SQL issue.


Besides, if you allow the list of errata id's to be passed in, which
would lead to multiple erratas to be returned, shouldn't you return
the id as well to make it clear which advisory name belongs to which
id?
We don't exactly need the errata ids, but I can see how this might be useful, so I have changed the method to return a list of (id, advisory_name) tuples. 

-Ionuț

>From 2294cbcf78713d600f716aa202a812df7d6480be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ionu=C8=9B=20Ar=C8=9B=C4=83ri=C8=99i?= <iartar...@suse.cz>
Date: Wed, 18 May 2011 12:31:59 +0200
Subject: [PATCH] added errata.getErrataNamesById function to the API

---
 backend/server/handlers/xmlrpc/errata.py |   20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/backend/server/handlers/xmlrpc/errata.py b/backend/server/handlers/xmlrpc/errata.py
index 5b11637..4f1abcd 100644
--- a/backend/server/handlers/xmlrpc/errata.py
+++ b/backend/server/handlers/xmlrpc/errata.py
@@ -35,6 +35,7 @@ class Errata(rhnHandler):
         self.functions.append('GetByPackage')      # Clients v1-
         self.functions.append('getPackageErratum') # Clients v2+
         self.functions.append('getErrataInfo')     # clients v2+
+        self.functions.append('getErrataNamesById')
         
     def GetByPackage(self, pkg, osRel):
         """ Clients v1- Get errata for a package given "n-v-r" format
@@ -243,6 +244,25 @@ class Errata(rhnHandler):
         return ret
 
 
+    def getErrataNamesById(self, errata_ids):
+        """Return a list of RhnErrata tuples of (id, advisory_name)
+
+        :arg errata_ids: a list of RhnErrata ids
+
+        Returns an empty list if no erratas were found for the provided ids.
+
+        """
+        # transform the list of ints to an sql list that we can forcibly
+        # insert into the sql statement
+        sql_list = ', '.join([str(i) for i in errata_ids])
+
+        sql = """SELECT id, advisory_name FROM RhnErrata
+                 WHERE id IN (%s)"""
+        h = rhnSQL.prepare(sql % sql_list)
+        h.execute()
+        
+        return h.fetchall()
+
 #-----------------------------------------------------------------------------
 if __name__ == "__main__":
     print "You can not run this module by itself"
-- 
1.7.3.4


_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel

Reply via email to