[Freeipa-devel] [PATCH] 0034 Limit permission and selfservice names
Rob Crittenden
rcritten at redhat.com
Tue Apr 10 18:06:39 UTC 2012
Petr Viktorin wrote:
> On 04/10/2012 03:46 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 04/09/2012 03:55 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/2585: ipa permission-add
>>>>> throws
>>>>> internal server error when name contains '<', '>' or other special
>>>>> characters.
>>>>>
>>>>> The problem is, of course, proper escaping; not only in DNs but
>>>>> also in
>>>>> ACIs. Right now we don't really do either.
>>>>>
>>>>> This patch is just a simple workaround: disallow anything except
>>>>> known-good characters. It's just names, so no functionality is lost.
>>>>>
>>>>> All tickets for April are now taken, so unless a new one comes my way,
>>>>> I'll take a dive into the code and fix it properly. This could take
>>>>> some
>>>>> time and would mean somewhat larger changes.
>>>>
>>>> Is there a reason you didn't use pattern/pattern_errmsg instead?
>>>>
>>>> You'd need to change the regex as patterns use re.match rather than
>>>> re.search.
>>>>
>>>> rob
>>>
>>> Right, that makes more sense.
>>> It changes API.txt though. Do I need to bump VERSION in this case?
>>> Also, is there a reason pattern_errmsg is included in API.txt?
>>
>> Yes, please bump VERSION.
>
> Attaching updated patch.
>
>> pattern_errmsg should probably be removed from API.txt. We've been
>> paring back the amount of data to validate slowly as we've run into
>> these questionable items. Please open a ticket for this.
>
> Done: https://fedorahosted.org/freeipa/ticket/2619
>
I made a minor change. VERSION shoudl just update the minor version
number. I changed this, ACK, pushed to master and ipa-2-2
rob
More information about the Freeipa-devel
mailing list