Odoo Addons (MOVED TO GITHUB)

[TRUNK and 5.0] SLICE opcodes missing in safe_eval() (string[:])

Bug #662493 reported by Nhomar - Vauxoo
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Odoo Addons (MOVED TO GITHUB)
Status tracked in Trunk
5.0
Fix Released
Medium
Anup(SerpentCS)
Odoo Addons (MOVED TO GITHUB) 5.0.15
Trunk
Fix Released
Medium
Anup(SerpentCS)
Odoo Addons (MOVED TO GITHUB) 6.0-rc2

Bug Description

Slice opcodes are missing in safe_eval, that means that you cannot use the string slice operator [:] in reports.

For example [[ o.partner_id.vat[2:] ]] will fail.

The missing opcodes are:

  SLICE+0 Implements TOS = TOS[:].
  SLICE+1 Implements TOS = TOS1[TOS:].
  SLICE+2 Implements TOS = TOS1[:TOS].
  SLICE+3 Implements TOS = TOS2[TOS1:TOS].

--- Original report: ---

Hello.

We detected this error some time ago.

As we know yo can put on line python functions between [[ ]] and on rml reports this was evaluated, at least until V5.0.12, right, we used this to take o the 2 first letters to the VAT number, for example in a report, the Vat number is in this way, VEJ123456789, for european countrie it is BEXXXXXXXXX, the 2 first letters are not necesary on some reports for this reason we use this on reports.

[[ o.partner_id.vat[2:] ]]

Last time it works was in 5.0.12, right now this kind of simply python functions on string are not working, and no error and no traceback...

Thanks.

How do i can try it?.

Use the report "Overdue Payment" on partner.

For trunk_
account/report/account_print_overdue.rml

In line 102:
          <para style="terp_default_9">[[ addr['street'] ]]</para>
replace by
          <para style="terp_default_9">[[ addr['street'][:4] ]]</para>

Go to customers> select China Export> Overdue Payments on Reports.

Originaly it return:
52 Chop Suey street (PDF1)

With change it should return only the first 4 elements on string, I mean: "52 C" against this It is returning the function as if it have an error on sintax.(PDF2)

You can try in V5 too, i dont think we need to develop a "parser" for a than simply function...

If you try other like "upper()" this are working fne, speccially i don't know why it is happening.

regards.

See original description
Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :
Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

Sorry where i said:
In line 102:
          <para style="terp_default_9">[[ addr['street'] ]]</para>

It must should say:
In line 101:
          <para style="terp_default_9">[[ addr['street'] ]]</para>

Thanks a lot

Changed in openobject-addons:
milestone: none → 5.0.15
Revision history for this message
Borja López Soilán (NeoPolus) (borjals) wrote :

Nhomar, on trunk (6.0) the evaluation of the python code inside the RML brackets ([[ ]]) has changed to make it safer.
Now there is a method called "safe_eval()" that will evaluate that code but allowing just some operations considered "safe".
Any operation not defined on the safe_eval trusted list, won't be available on the RML.

I think that somebody just forgot to add the list indexing/copy methods into the safe list (There were a lot of small bugs like this when safe_eval was put into place).

summary: - [TRUNK and 5.0]report engine is not taking correctly string pýthon
- functions
+ [TRUNK and 5.0] report engine not taking correctly string python
+ functions [safe_eval()]
Borja López Soilán (NeoPolus) (borjals)
summary: - [TRUNK and 5.0] report engine not taking correctly string python
- functions [safe_eval()]
+ [TRUNK and 5.0] SLICE opcodes missing in safe_eval() (string[:])
description: updated
Revision history for this message
Borja López Soilán (NeoPolus) (borjals) wrote :

Adding a small patch for 6.0; a similar modification can be done on 5.0.

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

Thank Borja "Voz sos un crack" ;-)

The patch is working for me on V6

Regards

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

For V5 is broken:

report :
[2010-10-18 12:44:23,469][v5report] ERROR:report:[18]: Traceback (most recent call last):
[2010-10-18 12:44:23,469][v5report] ERROR:report:[19]: File "/home/nhomar/proyectos_bazaar/5.0/bin/report/render/rml2pdf/utils.py", line 116, in _process_text
[2010-10-18 12:44:23,470][v5report] ERROR:report:[20]: txt = eval(expr,self.localcontext)
[2010-10-18 12:44:23,470][v5report] ERROR:report:[21]: File "/home/nhomar/proyectos_bazaar/5.0/bin/tools/safe_eval.py", line 271, in safe_eval
[2010-10-18 12:44:23,470][v5report] ERROR:report:[22]: return eval(test_expr(expr,_SAFE_OPCODES, mode=mode), globals_dict, locals_dict)
[2010-10-18 12:44:23,470][v5report] ERROR:report:[23]: File "/home/nhomar/proyectos_bazaar/5.0/bin/tools/safe_eval.py", line 105, in test_expr
[2010-10-18 12:44:23,471][v5report] ERROR:report:[24]: raise ValueError("opcode %s not allowed (%r)" % (opname[code], expr))
[2010-10-18 12:44:23,471][v5report] ERROR:report:[25]: ValueError: opcode SLICE+2 not allowed ('"Introspection report on objects"[:10]')
[2010-10-18 12:44:23,471][v5report] ERROR:report:[26]:
[2010-10-18 12:44:23,471][v5report] ERROR:report:[27]: opcode SLICE+2 not allowed ('"Introspection report on objects"[:10]')
[2010-10-18 12:44:23,471][v5report] ERROR:report:[28]: expr: "Introspection report on objects"[:10]

With a wired string...

 report :
[2010-10-18 12:46:41,643][v5report] ERROR:report:[18]: Traceback (most recent call last):
[2010-10-18 12:46:41,644][v5report] ERROR:report:[19]: File "/home/nhomar/proyectos_bazaar/5.0/bin/report/render/rml2pdf/utils.py", line 116, in _process_text
[2010-10-18 12:46:41,644][v5report] ERROR:report:[20]: txt = eval(expr,self.localcontext)
[2010-10-18 12:46:41,644][v5report] ERROR:report:[21]: File "/home/nhomar/proyectos_bazaar/5.0/bin/tools/safe_eval.py", line 271, in safe_eval
[2010-10-18 12:46:41,644][v5report] ERROR:report:[22]: return eval(test_expr(expr,_SAFE_OPCODES, mode=mode), globals_dict, locals_dict)
[2010-10-18 12:46:41,645][v5report] ERROR:report:[23]: File "/home/nhomar/proyectos_bazaar/5.0/bin/tools/safe_eval.py", line 105, in test_expr
[2010-10-18 12:46:41,645][v5report] ERROR:report:[24]: raise ValueError("opcode %s not allowed (%r)" % (opname[code], expr))
[2010-10-18 12:46:41,645][v5report] ERROR:report:[25]: ValueError: opcode SLICE+2 not allowed ('module.name[:6]')
[2010-10-18 12:46:41,645][v5report] ERROR:report:[26]:
[2010-10-18 12:46:41,645][v5report] ERROR:report:[27]: opcode SLICE+2 not allowed ('module.name[:6]')
[2010-10-18 12:46:41,646][v5report] ERROR:report:[28]: expr: module.name[:6]

with a "variable" string----

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

I'm on revno 2144, i can see that on line left, olease add:

    'SLICE+0', 'SLICE+1', 'SLICE+2', 'SLICE+3',

on safe_eval.py on line 59....

Please folks, I know that we are hurry with change and We realy appreciate that you answare and commit ver wuickly, but it must not affect the quality control, it shows that th commiter in this case jay(openerp) even don't try his own change, be carefull folks. Be carefull, it can happend with worst things....

Regards, and thanks A LOT for the quick commit.

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

The patch that borja supplied works with only apply it.... don't need to change anything else.......

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

V5 commited, with the same error.

Nobody check changes before commit?

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

In V5 i goes up the importance, because right now is giving an exception,
Several reports doesn't work with this, and them work before safe_eval implemented...

Thanks guys for hear us

Revision history for this message
Anup(SerpentCS) (anup-serpent) wrote :

Hello Nhomar,Borja,

  It has been fixed in stable by revisioin 2145 <email address hidden>

Thanks a lot for your valuable efforts.

Revision history for this message
Anup(SerpentCS) (anup-serpent) wrote :

Hello Guys,

   Fixed in trunk by revision 2948 <email address hidden>

Thanks.

Revision history for this message
Torvald Bringsvor (bringsvor) wrote :

No, still an issue for 5.0 it seems. Have updated just 10 minutes ago (can't remember the version - how can I find it?)

Anyway I enclose the server output. Steps to reproduce:

1. Create new database with Minimal profile.
2. Install sales module.

Revision history for this message
Nhomar - Vauxoo (nhomar) wrote :

it is working for me for both vedsions check your code pliz

Revision history for this message
Omar (Pexego) (omar7r) wrote :

Hi Anup,

Like Torvals said, this issue is present in v5.0 yet. Nhomar, maybe you had applied Borja's patch, with his patch it works.

Revision history for this message
Omar (Pexego) (omar7r) wrote :

Hi all,

My fault, I had delete that line in my source. It works perfectly in v5

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.