[Freeipa-devel] [PATCH] 0006 Remove check for alphabetic only characters from domain name validation

Ana Krivokapic akrivoka at redhat.com
Wed Feb 20 10:03:26 UTC 2013 

On 02/18/2013 01:08 PM, Martin Kosek wrote:
> On 02/18/2013 12:47 PM, Sumit Bose wrote:
>> On Mon, Feb 18, 2013 at 12:27:35PM +0100, Petr Spacek wrote:
>>> On 15.2.2013 15:22, Ana Krivokapic wrote:
>>>> Hello,
>>>>
>>>> The .isalpha() check in validate_domain_name() was too strict,
>>>> causing some commands like ipa dnsrecord-add to fail.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3385
>>> I would add --force option rather than removing whole check, if it's possible.
>>>
>>> Would it be possible to mention RFC in the error message? Something
>>> like _('top level domain label must be alphabetic (RFC 1123 section
>>> 2.1)')
>>> ?
>>>
>>> IMHO it is handy, because it educates users.
>> The problem is that this check is always done on the last component of
>> the domain_name even if it is just a sub-domain of the FreeIPA domain,
>> where e.g. numbers are valid characters.
>>
>> At the beginning of validate_domain_name() a trailing '.' is stripped
>> away. iirc the trailing '.' is an indication for a complete, fully
>> qualified name. Would it work if the presence of the trailing '.' is
>> saved and the check is only done if there was a '.'?
>>
>> bye,
>> Sumit
>>
> Sure. Though I am now not 100% sure that some IPA functions do not use this
> validator with a fqdn hostname without trailing dot. If not, I am for fixing
> this function as Sumit and Petr suggested.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
After some thought, I decided to change the approach.

As pointed out by Sumit, the problem was that the validate_domain_name()
function did not distinguish between fqdn and non-fqdn domains
(subdomains of the IPA domain). The trailing dot is not a clear
indication either, because some IPA functions use this validator with an
fqdn without the trailing dot.

To fix this, I introduced an additional parameter to this function - a
flag which indicates whether the domain name is an fqdn or not. The is
.isalpha() check is then performed only in the case of an fqdn.

I also improved the error message to mention the relevant RFC, as
suggested by Petr.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0006-02-Improve-domain-name-validation.patch
Type: text/x-patch
Size: 2293 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130220/d1492864/attachment.bin>

More information about the Freeipa-devel mailing list