From 4561c3bcd928488c3f353b1e1b906726d1e7f8f2 Mon Sep 17 00:00:00 2001
From: fonfon <blubb@fonfon.at>
Date: Sun, 3 May 2015 19:19:15 +0200
Subject: [PATCH] Removed quote-checking functionality from pagekite

actions.py doesn't use shlex.quote anymore so I don't
have to check for accidentially quoted things anymore.
---
 actions/pagekite_util.py        | 26 --------------------------
 plinth/modules/pagekite/urls.py |  3 ++-
 plinth/modules/pagekite/util.py | 19 -------------------
 plinth/tests/test_pagekite.py   |  4 ----
 4 files changed, 2 insertions(+), 50 deletions(-)

diff --git a/actions/pagekite_util.py b/actions/pagekite_util.py
index c41f5b052..db8f9ac1c 100644
--- a/actions/pagekite_util.py
+++ b/actions/pagekite_util.py
@@ -29,7 +29,6 @@ Utilities for configuring PageKite.
 # until then, this file is python2 and python3 compatible for the unittests
 
 import os
-import shlex
 CONF_PATH = '/files/etc/pagekite.d'
 
 SERVICE_PARAMS = ['protocol', 'kitename', 'backend_host', 'backend_port',
@@ -42,31 +41,6 @@ def convert_to_service(service_string):
     {'kitename': '@kitename', 'backend_host': 'localhost', \
 'secret': '@kitesecret', 'protocol': 'https/443', 'backend_port': '443'}
     """
-    # The actions.py uses shlex.quote() to escape/quote malicious user input.
-    # That affects '*.@kitename', so the params string gets quoted.
-    # If the string is escaped and contains '*.@kitename', look whether shlex
-    # would still quote/escape the string when we remove '*.@kitename'.
-
-    # TODO: use shlex only once augeas-python supports python3
-    if hasattr(shlex, 'quote'):
-        quotefunction = shlex.quote
-    else:
-        import pipes
-        quotefunction = pipes.quote
-
-    if service_string.startswith("'") and service_string.endswith("'"):
-        unquoted_string = service_string[1:-1]
-        error_msg = "The parameters contain suspicious characters: %s "
-        if '*.@kitename' in service_string:
-            unquoted_test_string = unquoted_string.replace('*.@kitename', '')
-            if unquoted_test_string == quotefunction(unquoted_test_string):
-                # no other malicious characters found, use the unquoted string
-                service_string = unquoted_string
-            else:
-                raise RuntimeError(error_msg % service_string)
-        else:
-            raise RuntimeError(error_msg % service_string)
-
     try:
         params = dict(zip(SERVICE_PARAMS, service_string.split(':')))
     except Exception:
diff --git a/plinth/modules/pagekite/urls.py b/plinth/modules/pagekite/urls.py
index 9f6a1921d..90b5ec3a7 100644
--- a/plinth/modules/pagekite/urls.py
+++ b/plinth/modules/pagekite/urls.py
@@ -36,5 +36,6 @@ urlpatterns = patterns(  # pylint: disable-msg=C0103
     url(r'^apps/pagekite/services/custom$',
         login_required(CustomServiceView.as_view()), name='custom-services'),
     url(r'^apps/pagekite/services/custom/delete$',
-        login_required(DeleteServiceView.as_view()), name='delete-custom-service'),
+        login_required(DeleteServiceView.as_view()),
+        name='delete-custom-service'),
     )
diff --git a/plinth/modules/pagekite/util.py b/plinth/modules/pagekite/util.py
index d5d79983e..16c809a8b 100644
--- a/plinth/modules/pagekite/util.py
+++ b/plinth/modules/pagekite/util.py
@@ -17,7 +17,6 @@
 
 from gettext import gettext as _
 import logging
-import shlex
 
 from plinth import actions
 
@@ -82,24 +81,6 @@ def convert_to_service(service_string):
     >>> output == expected_output
     True
     """
-    # The actions.py uses shlex.quote() to escape/quote malicious user input.
-    # That affects '*.@kitename', so the params string gets quoted.
-    # If the string is escaped and contains '*.@kitename', look whether shlex
-    # would still quote/escape the string when we remove '*.@kitename'.
-
-    if service_string.startswith("'") and service_string.endswith("'"):
-        unquoted_string = service_string[1:-1]
-        error_msg = "The parameters contain suspicious characters: %s "
-        if '*.@kitename' in service_string:
-            unquoted_test_string = unquoted_string.replace('*.@kitename', '')
-            if unquoted_test_string == shlex.quote(unquoted_test_string):
-                # no other malicious characters found, use the unquoted string
-                service_string = unquoted_string
-            else:
-                raise RuntimeError(error_msg % service_string)
-        else:
-            raise RuntimeError(error_msg % service_string)
-
     try:
         params = dict(zip(SERVICE_PARAMS, service_string.split(':')))
     except Exception:
diff --git a/plinth/tests/test_pagekite.py b/plinth/tests/test_pagekite.py
index 2fc04f597..a90e62e38 100644
--- a/plinth/tests/test_pagekite.py
+++ b/plinth/tests/test_pagekite.py
@@ -59,7 +59,3 @@ class TestPagekiteActions(unittest.TestCase):
         """ Test constructing parameter dictionaries out of string """
         for test in self._tests:
             self.assertEqual(test['params'], convert_to_service(test['line']))
-
-        line = "'https/80'; touch /etc/fstab':*.@kitename:localhost:80:foo'"
-        with self.assertRaises(RuntimeError):
-            convert_to_service(line)