Martin Kosek wrote:
On Sat, 2012-02-25 at 17:43 -0500, Rob Crittenden wrote:
This patch does two things:

1. Prompts when deleting a master to make clear that this is irreversible
2. Does not allow a deleted master to be reconnected.

Reconnecting to a deleted master causes all heck to break loose because
we delete principals as part of deletion process. If you reconnect to a
deleted master then we replicate those deletes and the connected master
is now unusable (no principals).

A simple test is:

Install master
Install replica
ipa-replica-manage del replica
ipa-replica-manage connect replica
ipa-server-uninstall -U on replica
re-install replica

The re-install should be successful.


Generally, it looks and works well. I just miss some unattended way to
deleted a replica, from other script for example.

I think we may either re-use --force flag for this purpose or introduce
an --unattended flag.

I also found an issue with S4U2Proxy memberPrincipal added for each
replica. Since the memberPrincipal values for deleted replica are not
removed when a replica is being deleted, ipa-replica-install reports a
(benign) error when it tries to add a duplicate value afterwards. I
filed a ticket for this one:


OK, went with --force.

>From 2edf48679bfad01a0d992dd3bfde22ff8690842c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Sun, 26 Feb 2012 15:08:31 -0500
Subject: [PATCH] Detect non-printable characters in strings when decoding.

We use the LDAP schema to decide whether a value should be treated
as binary or not. This doesn't account for a user that somehow manages
to get binary data stuffed into a non-binary attribute though.

This has the potential to break either XML-RPC or the client trying to
display binary data as a string.

Internally anything that is a pyton str type is considered binary and
unicode is considered a string.  This patch looks at a string before
decoding it, potentially into a unicode value (what we consider a plain
 ipalib/ |   30 +++++++++++++++++++++++++++---
 1 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ipalib/ b/ipalib/
index 8d59bd3161466e5d96ff03894a9b43871b8bb19e..14580b40e18e1141d0092e8262205db3bc29e646 100644
--- a/ipalib/
+++ b/ipalib/
@@ -21,6 +21,11 @@ Encoding capabilities.
 from decimal import Decimal
+import re
+from ipapython.ipa_log_manager import *
+# Declaring globally so we only have to compile this once
+non_printable = re.compile(u'[\x00-\x08\x0b\x0c\x0e-\x1F\uD800-\uDFFF\uFFFE\uFFFF]')
 class EncoderSettings(object):
@@ -65,6 +70,19 @@ class Encoder(object):
             return val
         return self.decode(val)
+    def contains_non_printable(self, val):
+        """
+        The XML-RPC spec defines the following characters as allowed:
+         #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
+        The regular expression for the inverse of this is smaller so use that
+        to find those not allowed.
+        Returns True if any matches are found, False if the string is ok.
+        """
+        matches = re.match(non_printable, val)
+        return matches != None
     def encode(self, var):
         Encode any python built-in python type variable into `self.encode_to`.
@@ -130,9 +148,15 @@ class Encoder(object):
         if isinstance(var, unicode):
             return var
         elif isinstance(var, str):
-            return self.encoder_settings.decode_postprocessor(
-                var.decode(self.encoder_settings.decode_from)
-            )
+            if self.contains_non_printable(var):
+                return var
+            try:
+                return self.encoder_settings.decode_postprocessor(
+                    var.decode(self.encoder_settings.decode_from)
+                )
+            except UnicodeDecodeError, e:
+                root_logger.error('Error decoding Unicode string %s: %s' % (var, str(e)))
+                return var
         elif isinstance(var, (bool, float, Decimal, int, long)):
             return var
         elif isinstance(var, list):

Freeipa-devel mailing list

Reply via email to