Petr Viktorin wrote:
On 04/10/2012 03:46 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
On 04/09/2012 03:55 PM, Rob Crittenden wrote:
Petr Viktorin wrote: ipa permission-add
internal server error when name contains '<', '>' or other special

The problem is, of course, proper escaping; not only in DNs but
also in
ACIs. Right now we don't really do either.

This patch is just a simple workaround: disallow anything except
known-good characters. It's just names, so no functionality is lost.

All tickets for April are now taken, so unless a new one comes my way,
I'll take a dive into the code and fix it properly. This could take
time and would mean somewhat larger changes.

Is there a reason you didn't use pattern/pattern_errmsg instead?

You'd need to change the regex as patterns use re.match rather than


Right, that makes more sense.
It changes API.txt though. Do I need to bump VERSION in this case?
Also, is there a reason pattern_errmsg is included in API.txt?

Yes, please bump VERSION.

Attaching updated patch.

pattern_errmsg should probably be removed from API.txt. We've been
paring back the amount of data to validate slowly as we've run into
these questionable items. Please open a ticket for this.


I made a minor change. VERSION shoudl just update the minor version number. I changed this, ACK, pushed to master and ipa-2-2


Freeipa-devel mailing list

Reply via email to