[Freeipa-devel] [PATCH] 0006 Remove check for alphabetic only characters from domain name validation
Ana Krivokapic
akrivoka at redhat.com
Fri Feb 22 15:02:55 UTC 2013
On 02/22/2013 10:19 AM, Petr Spacek wrote:
> On 20.2.2013 11:03, Ana Krivokapic wrote:
>> On 02/18/2013 01:08 PM, Martin Kosek wrote:
>>> On 02/18/2013 12:47 PM, Sumit Bose wrote:
>>>> On Mon, Feb 18, 2013 at 12:27:35PM +0100, Petr Spacek wrote:
>>>>> On 15.2.2013 15:22, Ana Krivokapic wrote:
>>>>>> Hello,
>>>>>>
>>>>>> The .isalpha() check in validate_domain_name() was too strict,
>>>>>> causing some commands like ipa dnsrecord-add to fail.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3385
>>>>> I would add --force option rather than removing whole check, if
>>>>> it's possible.
>>>>>
>>>>> Would it be possible to mention RFC in the error message? Something
>>>>> like _('top level domain label must be alphabetic (RFC 1123 section
>>>>> 2.1)')
>>>>> ?
>>>>>
>>>>> IMHO it is handy, because it educates users.
>>>> The problem is that this check is always done on the last component of
>>>> the domain_name even if it is just a sub-domain of the FreeIPA domain,
>>>> where e.g. numbers are valid characters.
>>>>
>>>> At the beginning of validate_domain_name() a trailing '.' is stripped
>>>> away. iirc the trailing '.' is an indication for a complete, fully
>>>> qualified name. Would it work if the presence of the trailing '.' is
>>>> saved and the check is only done if there was a '.'?
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>> Sure. Though I am now not 100% sure that some IPA functions do not
>>> use this
>>> validator with a fqdn hostname without trailing dot. If not, I am
>>> for fixing
>>> this function as Sumit and Petr suggested.
>>>
>>> Martin
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> After some thought, I decided to change the approach.
>>
>> As pointed out by Sumit, the problem was that the validate_domain_name()
>> function did not distinguish between fqdn and non-fqdn domains
>> (subdomains of the IPA domain). The trailing dot is not a clear
>> indication either, because some IPA functions use this validator with an
>> fqdn without the trailing dot.
>>
>> To fix this, I introduced an additional parameter to this function - a
>> flag which indicates whether the domain name is an fqdn or not. The is
>> .isalpha() check is then performed only in the case of an fqdn.
>>
>> I also improved the error message to mention the relevant RFC, as
>> suggested by Petr.
>
> Please don't forget to add --force switch. It could be handy.
>
I added the --force switch to ipa dnsrecord-add and opened a new ticket
to handle the rest of the ipa commands that use domain name validation:
https://fedorahosted.org/freeipa/ticket/3455
Updated patch is attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0006-03-Improve-domain-name-validation.patch
Type: text/x-patch
Size: 2994 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130222/167ed222/attachment.bin>
More information about the Freeipa-devel
mailing list