[Freeipa-devel] [PATCH] 0006 Remove check for alphabetic only characters from domain name validation
Petr Spacek
pspacek at redhat.com
Fri Feb 22 09:19:12 UTC 2013
On 20.2.2013 11:03, Ana Krivokapic wrote:
> On 02/18/2013 01:08 PM, Martin Kosek wrote:
>> On 02/18/2013 12:47 PM, Sumit Bose wrote:
>>> On Mon, Feb 18, 2013 at 12:27:35PM +0100, Petr Spacek wrote:
>>>> On 15.2.2013 15:22, Ana Krivokapic wrote:
>>>>> Hello,
>>>>>
>>>>> The .isalpha() check in validate_domain_name() was too strict,
>>>>> causing some commands like ipa dnsrecord-add to fail.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3385
>>>> I would add --force option rather than removing whole check, if it's possible.
>>>>
>>>> Would it be possible to mention RFC in the error message? Something
>>>> like _('top level domain label must be alphabetic (RFC 1123 section
>>>> 2.1)')
>>>> ?
>>>>
>>>> IMHO it is handy, because it educates users.
>>> The problem is that this check is always done on the last component of
>>> the domain_name even if it is just a sub-domain of the FreeIPA domain,
>>> where e.g. numbers are valid characters.
>>>
>>> At the beginning of validate_domain_name() a trailing '.' is stripped
>>> away. iirc the trailing '.' is an indication for a complete, fully
>>> qualified name. Would it work if the presence of the trailing '.' is
>>> saved and the check is only done if there was a '.'?
>>>
>>> bye,
>>> Sumit
>>>
>> Sure. Though I am now not 100% sure that some IPA functions do not use this
>> validator with a fqdn hostname without trailing dot. If not, I am for fixing
>> this function as Sumit and Petr suggested.
>>
>> Martin
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> After some thought, I decided to change the approach.
>
> As pointed out by Sumit, the problem was that the validate_domain_name()
> function did not distinguish between fqdn and non-fqdn domains
> (subdomains of the IPA domain). The trailing dot is not a clear
> indication either, because some IPA functions use this validator with an
> fqdn without the trailing dot.
>
> To fix this, I introduced an additional parameter to this function - a
> flag which indicates whether the domain name is an fqdn or not. The is
> .isalpha() check is then performed only in the case of an fqdn.
>
> I also improved the error message to mention the relevant RFC, as
> suggested by Petr.
Please don't forget to add --force switch. It could be handy.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list