From: Daniel Axtens <dja@axtens.net>
Date: Mon, 29 Jan 2018 15:37:51 +0000 (+1100)
Subject: views/user: string interpolation in raw SQL is safe here
X-Git-Tag: v2.1.0-rc1~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=846f825f2bc3f854ff359db46b8d78ee1dbfc2f8;p=thirdparty%2Fpatchwork.git

views/user: string interpolation in raw SQL is safe here

There's a FIXME asking for some generated SQL that uses string
interpolation to be investigated.

I investigated.

It's safe - it only interpolates table/column names, not
user-controlled data.

Replace the FIXME with an explanatory statement.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---

diff --git a/patchwork/views/user.py b/patchwork/views/user.py
index 79c615aa..2a2d7046 100644
--- a/patchwork/views/user.py
+++ b/patchwork/views/user.py
@@ -117,7 +117,11 @@ def profile(request):
         'profileform': form,
     }
 
-    # FIXME(stephenfin): This looks unsafe. Investigate.
+    # This looks unsafe but is actually fine: it just gets the names
+    # of tables and columns, not user-supplied data.
+    #
+    # An example of generated SQL is:
+    # patchwork_person.email IN (SELECT email FROM patchwork_emailoptout)
     optout_query = '%s.%s IN (SELECT %s FROM %s)' % (
         Person._meta.db_table,
         Person._meta.get_field('email').column,