nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-06-10 11:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Removed quote-checking functionality from pagekite

Browse Source 
actions.py doesn't use shlex.quote anymore so I don't
have to check for accidentially quoted things anymore.
This commit is contained in:
fonfon 2015-05-03 19:19:15 +02:00
parent 7af92d9e65
commit 4561c3bcd9
4 changed files with 2 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
actions/pagekite_util.py
View File

@ -29,7 +29,6 @@ Utilities for configuring PageKite.
# until then, this file is python2 and python3 compatible for the unittests
import os
import shlex
CONF_PATH = '/files/etc/pagekite.d'
SERVICE_PARAMS = ['protocol', 'kitename', 'backend_host', 'backend_port',
@ -42,31 +41,6 @@ def convert_to_service(service_string):
{'kitename': '@kitename', 'backend_host': 'localhost', \
'secret': '@kitesecret', 'protocol': 'https/443', 'backend_port': '443'}
"""
# The actions.py uses shlex.quote() to escape/quote malicious user input.
# That affects '*.@kitename', so the params string gets quoted.
# If the string is escaped and contains '*.@kitename', look whether shlex
# would still quote/escape the string when we remove '*.@kitename'.
# TODO: use shlex only once augeas-python supports python3
if hasattr(shlex, 'quote'):
quotefunction = shlex.quote
else:
import pipes
quotefunction = pipes.quote
if service_string.startswith("'") and service_string.endswith("'"):
unquoted_string = service_string[1:-1]
error_msg = "The parameters contain suspicious characters: %s "
if '*.@kitename' in service_string:
unquoted_test_string = unquoted_string.replace('*.@kitename', '')
if unquoted_test_string == quotefunction(unquoted_test_string):
# no other malicious characters found, use the unquoted string
service_string = unquoted_string
else:
raise RuntimeError(error_msg % service_string)
else:
raise RuntimeError(error_msg % service_string)
try:
params = dict(zip(SERVICE_PARAMS, service_string.split(':')))
except Exception:

3
plinth/modules/pagekite/urls.py
View File

@ -36,5 +36,6 @@ urlpatterns = patterns( # pylint: disable-msg=C0103
url(r'^apps/pagekite/services/custom$',
login_required(CustomServiceView.as_view()), name='custom-services'),
url(r'^apps/pagekite/services/custom/delete$',
login_required(DeleteServiceView.as_view()), name='delete-custom-service'),
login_required(DeleteServiceView.as_view()),
name='delete-custom-service'),
)

19
plinth/modules/pagekite/util.py
View File

@ -17,7 +17,6 @@
from gettext import gettext as _
import logging
import shlex
from plinth import actions
@ -82,24 +81,6 @@ def convert_to_service(service_string):
>>> output == expected_output
True
"""
# The actions.py uses shlex.quote() to escape/quote malicious user input.
# That affects '*.@kitename', so the params string gets quoted.
# If the string is escaped and contains '*.@kitename', look whether shlex
# would still quote/escape the string when we remove '*.@kitename'.
if service_string.startswith("'") and service_string.endswith("'"):
unquoted_string = service_string[1:-1]
error_msg = "The parameters contain suspicious characters: %s "
if '*.@kitename' in service_string:
unquoted_test_string = unquoted_string.replace('*.@kitename', '')
if unquoted_test_string == shlex.quote(unquoted_test_string):
# no other malicious characters found, use the unquoted string
service_string = unquoted_string
else:
raise RuntimeError(error_msg % service_string)
else:
raise RuntimeError(error_msg % service_string)
try:
params = dict(zip(SERVICE_PARAMS, service_string.split(':')))
except Exception:

4
plinth/tests/test_pagekite.py
View File

@ -59,7 +59,3 @@ class TestPagekiteActions(unittest.TestCase):
""" Test constructing parameter dictionaries out of string """
for test in self._tests:
self.assertEqual(test['params'], convert_to_service(test['line']))
line = "'https/80'; touch /etc/fstab':*.@kitename:localhost:80:foo'"
with self.assertRaises(RuntimeError):
convert_to_service(line)