Re: [Spacewalk-devel] erratas and the client plugin package action

Thu, 19 May 2011 02:47:47 -0700 

On 05/18/2011 05:05 PM, Jan Pazdziora wrote:

On Wed, May 18, 2011 at 02:38:54PM +0200, Ionuț Arțăriși wrote:

On 05/18/2011 01:14 PM, Jan Pazdziora wrote:

...

Nack. This is SQL-injection-prone. You have to use bind parameters
or sanitize the input properly.

Thanks, I have fixed the SQL issue.

It's still somewhat missing in your patch.


Ok, I think I now understood what you mean. Here's the re-patched patch :).
Those SQL IN operations seem to be quite tedious. Is there anywhere that we could move this _bind_list function? Perhaps to something like rhnSQL.bind_list? I haven't found any other helpers like this already in rhnSQL, but I've seen it used in other places. 

-Ionuț

>From a519ba5cef71bdec3bf6fa2e42438b00c34af14c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ionu=C8=9B=20Ar=C8=9B=C4=83ri=C8=99i?= <iartar...@suse.cz>
Date: Wed, 18 May 2011 12:31:59 +0200
Subject: [PATCH] added errata.getErrataNamesById function to the API

---
 backend/server/handlers/xmlrpc/errata.py |   36 ++++++++++++++++++++++++++++++
 1 files changed, 36 insertions(+), 0 deletions(-)

diff --git a/backend/server/handlers/xmlrpc/errata.py b/backend/server/handlers/xmlrpc/errata.py
index 5b11637..cbaab6e 100644
--- a/backend/server/handlers/xmlrpc/errata.py
+++ b/backend/server/handlers/xmlrpc/errata.py
@@ -35,6 +35,7 @@ class Errata(rhnHandler):
         self.functions.append('GetByPackage')      # Clients v1-
         self.functions.append('getPackageErratum') # Clients v2+
         self.functions.append('getErrataInfo')     # clients v2+
+        self.functions.append('getErrataNamesById')
         
     def GetByPackage(self, pkg, osRel):
         """ Clients v1- Get errata for a package given "n-v-r" format
@@ -242,7 +243,42 @@ class Errata(rhnHandler):
                             pkg_arch])
         return ret
 
+    def getErrataNamesById(self, errata_ids):
+        """Return a list of RhnErrata tuples of (id, advisory_name)
 
+        IN: errata_ids - a list of RhnErrata ids
+
+        Returns an empty list if no erratas were found for the provided ids.
+
+        """
+        sql_list, bound_vars = _bind_list(errata_ids)
+
+        sql = """SELECT id, advisory_name FROM RhnErrata
+                 WHERE id IN (%s)"""
+        h = rhnSQL.prepare(sql % sql_list)
+        h.execute(**bound_vars)
+        
+        return h.fetchall()
+
+
+def _bind_list(elems):
+    """Transform a list into an sql list with bound parameters
+
+    IN: elems - a list of elements
+
+    Returns a tuple of:
+     sql_list - a comma separated list of parameter numbers: 'p_0, p_1, p_2'
+     bound_vars - a dict of parameter names and values {'p_0': 42, 'p_1': 34}
+
+    """
+    bound_names = []
+    bound_vars = {}
+    for i, elem in enumerate(elems):
+        bound_vars['p_%s' % i] = elem
+        bound_names.append(':p_%s' % i)
+    sql_list = ', '.join(bound_names)
+    return sql_list, bound_vars
+            
 #-----------------------------------------------------------------------------
 if __name__ == "__main__":
     print "You can not run this module by itself"
-- 
1.7.3.4


_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel

Reply via email to