[Freeipa-devel] [PATCH] 871 add hostname regex

Rob Crittenden rcritten at redhat.com
Thu Sep 22 18:25:05 UTC 2011


Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On Tue, 13 Sep 2011, Jan Cholasta wrote:
>>>>>> What about IDN hosts? With this change we would require them to be
>>>>>> always in Punycode?
>>>>>>
>>>>>
>>>>> Oh, hadn't considered that, I was just following the relevent RFCs. Is
>>>>> there a way we can easily support those as well?
>>>>
>>>> The easiest way would probably be:
>>>>
>>>> normalizer=lambda value: unicode(value.encode('idna'))
>>> That's one part. Another one is visualizing such content -- for both
>>> Web UI and CLI we would need to run encodings.idna.ToUnicode().
>>> Finally, make sure whatever we pass to external applications is
>>> properly formatted as well -- all of them should be able to work with
>>> xn-<Punycode> form.
>>
>> The UI also links the DNS hostname to the host entries so I'd think the
>> names must be matchable in some way. If DNS can only store punycode
>> names I think the regex will be fine.
>
> I think we're going to need a bit more time to get this right. What I
> propose for the short term is to encode in puny code, do the validation,
> and reject as required. We still store in full unicode.
>
> Note that special characters may not work that will now but validating
> characters won't make it any worse.
>
> rob

As it turns out Kerberos doesn't support this type of hostname so my 
original patch stands for now. We can't allow non-ascii hostnames. I'll 
open a 3.0 ticket to investigate further.

rob




More information about the Freeipa-devel mailing list