Fix for issues encountered after upgrading to Trac 0.12 running on PostgreSQL #26

Open
wants to merge 6 commits into
from

Conversation

Projects
None yet
2 participants

Fix for issues #16, #17, #18 and #24. Or so it seems to me, anyway.

Help yourself.

You don't want to use string formatting to pass arguments to execute, as the values won't be escaped, and you introduce a vulnerability. For more info, see: http://trac.edgewall.org/wiki/TracDev/DatabaseApi#RulesforDBAPIUsage

Previous experience has demonstrated that the literal here needs to be single-quoted: WHERE name='%s', and avoid string formatting as described in the next comment.

cursor.execute("SELECT value FROM system WHERE name='%s'",

I can't say that wrapping the argument in a list will cause a problem, but the more idiomatic Trac thing to do is pass a tuple:

cursor.execute("DELETE FROM subtickets WHERE child=%s", (ticket.id, ))

Casting to str should not be done since the data is stored as int, IIIC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment