[Freeipa-devel] [PATCH] 0034 Limit permission and selfservice names
Petr Viktorin
pviktori at redhat.com
Tue Apr 10 14:11:19 UTC 2012
On 04/10/2012 03:46 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 04/09/2012 03:55 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> https://fedorahosted.org/freeipa/ticket/2585: ipa permission-add throws
>>>> internal server error when name contains '<', '>' or other special
>>>> characters.
>>>>
>>>> The problem is, of course, proper escaping; not only in DNs but also in
>>>> ACIs. Right now we don't really do either.
>>>>
>>>> This patch is just a simple workaround: disallow anything except
>>>> known-good characters. It's just names, so no functionality is lost.
>>>>
>>>> All tickets for April are now taken, so unless a new one comes my way,
>>>> I'll take a dive into the code and fix it properly. This could take
>>>> some
>>>> time and would mean somewhat larger changes.
>>>
>>> Is there a reason you didn't use pattern/pattern_errmsg instead?
>>>
>>> You'd need to change the regex as patterns use re.match rather than
>>> re.search.
>>>
>>> rob
>>
>> Right, that makes more sense.
>> It changes API.txt though. Do I need to bump VERSION in this case?
>> Also, is there a reason pattern_errmsg is included in API.txt?
>
> Yes, please bump VERSION.
Attaching updated patch.
> pattern_errmsg should probably be removed from API.txt. We've been
> paring back the amount of data to validate slowly as we've run into
> these questionable items. Please open a ticket for this.
Done: https://fedorahosted.org/freeipa/ticket/2619
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0034-03-Limit-permission-and-selfservice-names-to-alphanumer.patch
Type: text/x-patch
Size: 16059 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120410/79b66c02/attachment.bin>
More information about the Freeipa-devel
mailing list