[Freeipa-devel] [PATCH] 061 Validate NAPTR records

Jakub Hrozek jhrozek at redhat.com
Tue Feb 22 10:41:57 UTC 2011 

On Mon, Feb 21, 2011 at 01:18:07PM -0500, Rob Crittenden wrote:
> Jakub Hrozek wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >I'm not sure about checking the flags - this might be a little too much
> >validation.
> >
> >https://fedorahosted.org/freeipa/ticket/840
> 
> I think the flags length check needs to change. I would do this instead:
> 
> flags = flags.replace('"','')
> 
> Otherwise someone might try to pass in the flags 'SAU' and all that
> would get set is A.
> 
> rob

OK, that's much better. New patch attached.
-------------- next part --------------
>From aaeb347cfa015783606058a29b2009cf6306d578 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri, 18 Feb 2011 11:00:36 +0100
Subject: [PATCH] Validate NAPTR records

https://fedorahosted.org/freeipa/ticket/840
---
 API.txt               |    8 ++++----
 ipalib/plugins/dns.py |   26 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index b7ea174..56cbb8b 100644
--- a/API.txt
+++ b/API.txt
@@ -515,7 +515,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?',
 option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True)
 option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True)
 option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True)
-option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
+option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
 option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True)
 option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True)
 option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True)
@@ -559,7 +559,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?',
 option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True)
 option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True)
 option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True)
-option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
+option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
 option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True)
 option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True)
 option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True)
@@ -604,7 +604,7 @@ option: List('keyrecord?', attribute=True, cli_name='key_rec',ist('keyrecord?',
 option: List('kxrecord?', attribute=True, cli_name='kx_rec',ist('kxrecord?', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True)
 option: List('locrecord?', attribute=True, cli_name='loc_rec',ist('locrecord?', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True)
 option: List('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord?', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True)
-option: List('naptrrecord?', attribute=True, cli_name='naptr_rec',ist('naptrrecord?', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
+option: List('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord?', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True)
 option: List('nsrecord?', attribute=True, cli_name='ns_rec',ist('nsrecord?', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True)
 option: List('nsecrecord?', attribute=True, cli_name='nsec_rec',ist('nsecrecord?', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True)
 option: List('nsec3record?', attribute=True, cli_name='nsec3_rec',ist('nsec3record?', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True)
@@ -661,7 +661,7 @@ option: List('keyrecord', attribute=True, cli_name='key_rec',ist('keyrecord', at
 option: List('kxrecord', attribute=True, cli_name='kx_rec',ist('kxrecord', attribute=True, cli_name='kx_rec', doc='comma-separated list of KX records', label='KX record', multivalue=True, query=True, required=False)
 option: List('locrecord', attribute=True, cli_name='loc_rec',ist('locrecord', attribute=True, cli_name='loc_rec', doc='comma-separated list of LOC records', label='LOC record', multivalue=True, query=True, required=False)
 option: List('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec',ist('mxrecord', _validate_mx, attribute=True, cli_name='mx_rec', doc='comma-separated list of MX records', label='MX record', multivalue=True, query=True, required=False)
-option: List('naptrrecord', attribute=True, cli_name='naptr_rec',ist('naptrrecord', attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False)
+option: List('naptrrecord', _validate_naptr, attribute=True, cli_name='naptr_rec',ist('naptrrecord', _validate_naptr, attribute=True, cli_name='naptr_rec', doc='comma-separated list of NAPTR records', label='NAPTR record', multivalue=True, query=True, required=False)
 option: List('nsrecord', attribute=True, cli_name='ns_rec',ist('nsrecord', attribute=True, cli_name='ns_rec', doc='comma-separated list of NS records', label='NS record', multivalue=True, query=True, required=False)
 option: List('nsecrecord', attribute=True, cli_name='nsec_rec',ist('nsecrecord', attribute=True, cli_name='nsec_rec', doc='comma-separated list of NSEC records', label='NSEC record', multivalue=True, query=True, required=False)
 option: List('nsec3record', attribute=True, cli_name='nsec3_rec',ist('nsec3record', attribute=True, cli_name='nsec3_rec', doc='comma-separated list of NSEC3 records', label='NSEC3 record', multivalue=True, query=True, required=False)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index ed2f955..a18940b 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -155,12 +155,38 @@ def _validate_mx(ugettext, mx):
 
     return None
 
+def _validate_naptr(ugettext, naptr):
+    "see RFC 2915 "
+    try:
+        order, pref, flags, svc, regexp, replacement = naptr.split()
+    except ValueError:
+        return u'format must be specified as "order preference flags service regexp replacement"'
+
+    try:
+        order = int(order)
+        pref = int(pref)
+    except ValueError:
+        return u'order and preference must be integers'
+
+    if order < 0 or order > 65535 or pref < 0 or pref > 65535:
+        return u'the value of order and preference must be between 0 and 65535'
+
+    flags = flags.replace('"','')
+    flags = flags.replace('\'','')
+    if len(flags) != 1:
+        return u'flag must be a single character (quotation is allowed)'
+    if flags.upper() not in "SAUP":
+        return u'flag must be one of "S", "A", "U", or "P"'
+
+    return None
+
 _record_validators = {
     u'A': _validate_ipaddr,
     u'AAAA': _validate_ipaddr,
     u'APL': _validate_ipnet,
     u'SRV': _validate_srv,
     u'MX': _validate_mx,
+    u'NAPTR': _validate_naptr,
 }
 
 def has_cli_options(entry, no_option_msg):
-- 
1.7.4

More information about the Freeipa-devel mailing list