From 846f825f2bc3f854ff359db46b8d78ee1dbfc2f8 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 30 Jan 2018 02:37:51 +1100
Subject: [PATCH] views/user: string interpolation in raw SQL is safe here

There's a FIXME asking for some generated SQL that uses string
interpolation to be investigated.

I investigated.

It's safe - it only interpolates table/column names, not
user-controlled data.

Replace the FIXME with an explanatory statement.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 patchwork/views/user.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/patchwork/views/user.py b/patchwork/views/user.py
index 79c615aa..2a2d7046 100644
--- a/patchwork/views/user.py
+++ b/patchwork/views/user.py
@@ -117,7 +117,11 @@ def profile(request):
         'profileform': form,
     }
 
-    # FIXME(stephenfin): This looks unsafe. Investigate.
+    # This looks unsafe but is actually fine: it just gets the names
+    # of tables and columns, not user-supplied data.
+    #
+    # An example of generated SQL is:
+    # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout)
     optout_query = '%s.%s IN (SELECT %s FROM %s)' % (
         Person._meta.db_table,
         Person._meta.get_field('email').column,
-- 
2.47.3