Bug 25095 - No error message for invalid UCR variable names
No error message for invalid UCR variable names
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Univention Configuration Registry
UCS 4.1
Other Linux
: P3 normal (vote)
: UCS 4.2-1-errata
Assigned To: Johannes Keiser
Florian Best
:
: 41629 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-02 12:31 CET by Alexander Kläser
Modified: 2017-07-12 16:49 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional): Usability
Max CVSS v3 score:
best: Patch_Available+


Attachments
Patch to check new keys (1.14 KB, patch)
2016-10-12 18:00 CEST, Julius Hinrichs
Details | Diff
Improved patch to check new keys (3.25 KB, patch)
2016-10-14 16:16 CEST, Julius Hinrichs
Details | Diff
python backend patch (without javascript adjustments) (3.22 KB, patch)
2016-10-17 11:01 CEST, Florian Best
Details | Diff
patch (5.16 KB, patch)
2017-07-11 14:20 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Kläser univentionstaff 2011-12-02 12:31:56 CET
Werden im UCR-Modul derzeit beim Anlegen nicht erlaubte Variablennamen angegeben, so wird der Eintrag nicht angelegt, es wird aber auch keine Fehlermeldung ausgegeben. Das könnte durch eine entsprechende RegExp client-seitig gelöst werden.
Comment 1 Florian Best univentionstaff 2011-12-08 11:10:54 CET
Variablen mit einem ? oder = im Namen werden ebenfalls nicht verboten.
Comment 2 Dirk Wiesenthal univentionstaff 2012-12-05 12:30:57 CET
(In reply to comment #1)
> Variablen mit einem ? oder = im Namen werden ebenfalls nicht verboten.

Und kommen durch!
Key: "foo=bar", Value="baz" => foo: bar=baz. Mit ? ist die Situation ähnlich: Was vor dem ? steht wird auf das gesetzt, was danach kommt (falls die Variable noch nicht existiert)
Comment 3 Julius Hinrichs univentionstaff 2016-10-12 18:00:33 CEST
Created attachment 8093 [details]
Patch to check new keys

This patch does not accept keys that contain characters other than a-z, A-Z, 0-9, '/', '.', '_', '-'. Also, a key must contain at least one character. 

However, you can still "create" a "new" variable that overwrites the value of an existing key. It should also be checked if the entered key already exists.
Comment 4 Florian Best univentionstaff 2016-10-12 18:23:05 CEST
(In reply to Julius Hinrichs from comment #3)
> Created attachment 8093 [details]
> Patch to check new keys
> 
> This patch does not accept keys that contain characters other than a-z, A-Z,
> 0-9, '/', '.', '_', '-'. Also, a key must contain at least one character. 
> 
> However, you can still "create" a "new" variable that overwrites the value
> of an existing key. It should also be checked if the entered key already
> exists.

The validation should be done in the backend as well.
Comment 5 Julius Hinrichs univentionstaff 2016-10-14 16:16:27 CEST
Created attachment 8107 [details]
Improved patch to check new keys

This patch performs the same character checks both in the frontend and in the backend. Additionally, in the backend, adding a new variable fails if the given key already exists.
Comment 6 Florian Best univentionstaff 2016-10-17 11:01:55 CEST
Created attachment 8113 [details]
python backend patch (without javascript adjustments)

(In reply to Julius Hinrichs from comment #5)
> Created attachment 8107 [details]
> Improved patch to check new keys
> 
> This patch performs the same character checks both in the frontend and in
> the backend. Additionally, in the backend, adding a new variable fails if
> the given key already exists.

The check now checks if the variable is registered via an info file in UCR but not if the variable is already set. This prevents setting unregistered variables like foo/bar. UCR also has a utility function to validate the key. This should be used instead of the regex. Attached is a patch which fixes both.
Comment 7 Arvid Requate univentionstaff 2016-10-17 15:55:58 CEST
> adding a new variable fails if the given key already exists

Do you mean

ucr set foo=bar
ucr set foo=baz

fails? That would break a lot of things.
Comment 8 Julius Hinrichs univentionstaff 2016-10-17 16:34:33 CEST
(In reply to Arvid Requate from comment #7)
> > adding a new variable fails if the given key already exists
> 
> Do you mean
> 
> ucr set foo=bar
> ucr set foo=baz
> 
> fails? That would break a lot of things.

UMC uses "add" for new variables and "put" for existing ones. "ucr set" in the shell should still cover both cases.
Comment 9 Jürn Brodersen univentionstaff 2016-10-17 16:41:19 CEST
*** Bug 41629 has been marked as a duplicate of this bug. ***
Comment 10 Jürn Brodersen univentionstaff 2016-10-17 16:48:48 CEST
The utility function to validate the key didn't work for me.
See bug 41629
Comment 11 Johannes Keiser univentionstaff 2017-07-07 15:44:40 CEST
(In reply to Florian Best from comment #6)
> Created attachment 8113 [details]
> python backend patch (without javascript adjustments)
> 
> (In reply to Julius Hinrichs from comment #5)
> > Created attachment 8107 [details]
> > Improved patch to check new keys
> > 
> > This patch performs the same character checks both in the frontend and in
> > the backend. Additionally, in the backend, adding a new variable fails if
> > the given key already exists.
> 
> The check now checks if the variable is registered via an info file in UCR
> but not if the variable is already set. This prevents setting unregistered
> variables like foo/bar. UCR also has a utility function to validate the key.
> This should be used instead of the regex. Attached is a patch which fixes
> both.

Applied rebased patch:

r 80972
univention-config-registry (12.0.1-6) 
* Bug #25095: Add a check for ": " in validate_key

r 80974
univention-management-console-module-ucr (6.0.1-5) 
* Bug #25095: Applied patch - Show error message if UCR key is not valid
and improve key validation

YAML: r 80975
Comment 12 Florian Best univentionstaff 2017-07-11 14:20:19 CEST
Created attachment 9012 [details]
patch

OK: changes for validate_key(): it's not allowed anymore to set variables containing ": "
# ucr set 'foo: =bar'
Please fix invalid ": " in config registry key "foo: "
Not setting foo: 

REOPEN: Please make the following adjustments:

* Change "key" to "UCR variable name" in the message: "A valid key must contain at least…"
* The check for the already set UCR variable (e.g. apache2/autostart) doesn't work when adding variables.
* I think the "validate" request is unnecessary and should only be done in the "add" / "put" request.
* I think the validation for ": " is not required to be done in the Javascript. Instead the error message from validate_key() should be used.

I attached a patch which does most of the things. TODO: The translation has to be moved to the other .po file. TODO: the check for duplicated variables needs to be fixed.
Comment 13 Johannes Keiser univentionstaff 2017-07-11 16:26:53 CEST
(In reply to Florian Best from comment #12)
> Created attachment 9012 [details]
> patch
> 

Applied patch:

r 81047
univention-management-console-module-ucr (6.0.1-6) 
* Bug #25095: Applied patch from Florian Best - Simplify error handling
and messages

r 81048
univention-config-registry (12.0.1-7) 
* Bug #25095: Improve wording of validate_key error messages

YAML: r 81050
Comment 14 Florian Best univentionstaff 2017-07-11 17:56:56 CEST
Very nice!

OK: YAML