From 5e06cb0e1d4f4bcda2976a1daba6dbb4a3b011c7 Mon Sep 17 00:00:00 2001
From: Guillaume Horel <guillaume.horel@gmail.com>
Date: Fri, 23 Nov 2018 18:39:05 -0500
Subject: bretelles et ceinture
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On veut être sur qu'il n'y a pas d'injection sql possible à travers
le nom des colonnes, donc on utilise une whitelist.
---
 famille.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/famille.py b/famille.py
index 4bc11f7..f910a33 100644
--- a/famille.py
+++ b/famille.py
@@ -269,8 +269,10 @@ def edit_user():
             pass
 
         result['notify'] = "notify" in request.form
-        result.update({k: v for k, v in request.form.items() if k not in
-                       ['password', 'password_confirm', 'notify']})
+        for k in ["birthday", "nameday", "email", "phone", "adress_line1",
+                "adress_line2", "adress_city_line", "timezone"]:
+            if k in result.form:
+                result[k] = result.form[k]
         set_string = ",".join([f"{k}=?" for k in result.keys()])
         sqlstr = f"UPDATE users SET {set_string} WHERE id=?"
         db = get_db()
-- 
cgit v1.2.3-70-g09d2