| Message ID | 20180130153611.31474-4-dja@axtens.net |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/4] tags: be a bit more permissive in what we render to a message | expand |
diff --git a/patchwork/views/user.py b/patchwork/views/user.py index 79c615aa2da0..2a2d704679e0 100644 --- a/patchwork/views/user.py +++ b/patchwork/views/user.py @@ -117,7 +117,11 @@ def profile(request): 'profileform': form, } - # FIXME(stephenfin): This looks unsafe. Investigate. + # This looks unsafe but is actually fine: it just gets the names + # of tables and columns, not user-supplied data. + # + # An example of generated SQL is: + # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout) optout_query = '%s.%s IN (SELECT %s FROM %s)' % ( Person._meta.db_table, Person._meta.get_field('email').column,
There's a FIXME asking for some generated SQL that uses string interpolation to be investigated. I investigated. It's safe - it only interpolates table/column names, not user-controlled data. Replace the FIXME with an explanatory statement. Signed-off-by: Daniel Axtens <dja@axtens.net> --- patchwork/views/user.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)