From 1f0690b05ddd8f9b639e3f2ad1fd01f81d48260f Mon Sep 17 00:00:00 2001
From: Rushabh Mehta <rmehta@gmail.com>
Date: Mon, 24 Nov 2014 13:20:31 +0530
Subject: [PATCH] [security] [fix] stop client side queries in reportview.py

---
 frappe/model/db_query.py                  |  5 +++-
 frappe/public/js/frappe/views/listview.js | 28 -----------------------
 frappe/widgets/reportview.py              |  4 ++++
 3 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index a5c2f7b723..79ef0e63d4 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -90,7 +90,10 @@ class DatabaseQuery(object):
 		if isinstance(self.filters, basestring):
 			self.filters = json.loads(self.filters)
 		if isinstance(self.fields, basestring):
-			self.fields = json.loads(self.fields)
+			if self.fields == "*":
+				self.fields = ["*"]
+			else:
+				self.fields = json.loads(self.fields)
 		if isinstance(self.filters, dict):
 			fdict = self.filters
 			self.filters = []
diff --git a/frappe/public/js/frappe/views/listview.js b/frappe/public/js/frappe/views/listview.js
index e80ca5ab98..e9e958aa19 100644
--- a/frappe/public/js/frappe/views/listview.js
+++ b/frappe/public/js/frappe/views/listview.js
@@ -514,31 +514,3 @@ frappe.views.ListView = Class.extend({
 		$(parent).append(repl(icon_html, {icon_class: icon_class, label: __(label) || ''}));
 	}
 });
-
-// embeddable
-frappe.provide('frappe.views.RecordListView');
-frappe.views.RecordListView = frappe.views.DocListView.extend({
-	init: function(doctype, wrapper, ListView) {
-		this.doctype = doctype;
-		this.wrapper = wrapper;
-		this.listview = new ListView(this, doctype);
-		this.listview.parent = this;
-		this.setup();
-	},
-
-	setup: function() {
-		var me = this;
-		me.page_length = 10;
-		$(me.wrapper).empty();
-		me.init_list();
-	},
-
-	get_args: function() {
-		var args = this._super();
-		$.each((this.default_filters || []), function(i, f) {
-		      args.filters.push(f);
-		});
-		args.docstatus = args.docstatus.concat((this.default_docstatus || []));
-		return args;
-	},
-});
diff --git a/frappe/widgets/reportview.py b/frappe/widgets/reportview.py
index 304b874f21..7f339e03c7 100644
--- a/frappe/widgets/reportview.py
+++ b/frappe/widgets/reportview.py
@@ -20,6 +20,7 @@ def execute(doctype, query=None, filters=None, fields=None, or_filters=None, doc
 		order_by, limit_start, limit_page_length, as_list, with_childnames, debug)
 
 def get_form_params():
+	"""Stringify GET request parameters."""
 	data = frappe._dict(frappe.local.form_dict)
 
 	del data["cmd"]
@@ -31,6 +32,9 @@ def get_form_params():
 	if isinstance(data.get("docstatus"), basestring):
 		data["docstatus"] = json.loads(data["docstatus"])
 
+	# queries must always be server side
+	data.query = None
+
 	return data
 
 def compress(data):