Escape values for environment variables before saving them

Author: humitos

readthedocs/projects/models.py

@@ -8,6 +8,7 @@
 import logging
 import os
 from builtins import object  # pylint: disable=redefined-builtin
+from six.moves import shlex_quote
 
 from django.conf import settings
 from django.contrib.auth.models import User
@@ -1132,6 +1133,7 @@ def get_feature_display(self):
         return dict(self.FEATURES).get(self.feature_id, self.feature_id)
 
 
+@python_2_unicode_compatible
 class EnvironmentVariable(TimeStampedModel, models.Model):
     name = models.CharField(
         max_length=128,
@@ -1146,3 +1148,10 @@ class EnvironmentVariable(TimeStampedModel, models.Model):
         on_delete=models.CASCADE,
         help_text=_('Project where this variable will be used'),
     )
+
+    def __str__(self):
+        return self.name
+
+    def save(self, *args, **kwargs):  # pylint: disable=arguments-differ
+        self.value = shlex_quote(self.value)
+        return super(EnvironmentVariable, self).save(*args, **kwargs)

readthedocs/templates/projects/environmentvariable_form.html

@@ -12,12 +12,6 @@
 {% block project_edit_content_header %}{% trans "Environment Variables" %}{% endblock %}
 
 {% block project_edit_content %}
-  <p>
-    {% blocktrans trimmed %}
-      Notice that the values are not escaped when your builds are executed.
-      Special characters (for bash) should be escaped accordingly.
-    {% endblocktrans %}
-  </p>
   <form
       method="post"
       action="{% url 'projects_environmentvariables_create' project_slug=project.slug %}">