[Freeipa-devel] [PATCH] 871 add hostname regex
Martin Kosek
mkosek at redhat.com
Tue Sep 27 14:11:48 UTC 2011
On Thu, 2011-09-22 at 14:25 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> Alexander Bokovoy wrote:
> >>> On Tue, 13 Sep 2011, Jan Cholasta wrote:
> >>>>>> What about IDN hosts? With this change we would require them to be
> >>>>>> always in Punycode?
> >>>>>>
> >>>>>
> >>>>> Oh, hadn't considered that, I was just following the relevent RFCs. Is
> >>>>> there a way we can easily support those as well?
> >>>>
> >>>> The easiest way would probably be:
> >>>>
> >>>> normalizer=lambda value: unicode(value.encode('idna'))
> >>> That's one part. Another one is visualizing such content -- for both
> >>> Web UI and CLI we would need to run encodings.idna.ToUnicode().
> >>> Finally, make sure whatever we pass to external applications is
> >>> properly formatted as well -- all of them should be able to work with
> >>> xn-<Punycode> form.
> >>
> >> The UI also links the DNS hostname to the host entries so I'd think the
> >> names must be matchable in some way. If DNS can only store punycode
> >> names I think the regex will be fine.
> >
> > I think we're going to need a bit more time to get this right. What I
> > propose for the short term is to encode in puny code, do the validation,
> > and reject as required. We still store in full unicode.
> >
> > Note that special characters may not work that will now but validating
> > characters won't make it any worse.
> >
> > rob
>
> As it turns out Kerberos doesn't support this type of hostname so my
> original patch stands for now. We can't allow non-ascii hostnames. I'll
> open a 3.0 ticket to investigate further.
>
> rob
>
In that case, ACK. I tested the current patch and it works fine. Lets
deal with internationalized domains in ticket 1845 you created.
Pushed to master, ipa-2-1.
Martin
More information about the Freeipa-devel
mailing list