Bug 58898 - Wrong regex for UDM syntax gid allows wrong characters
Summary: Wrong regex for UDM syntax gid allows wrong characters
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-4-errata
Assignee: Felix Botner
QA Contact: Florian Best
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on: 54589
Blocks:
  Show dependency treegraph
 
Reported: 2025-12-11 10:04 CET by Felix Botner
Modified: 2025-12-18 15:59 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2025-12-11 10:04:16 CET 
+++ This bug was initially created as a clone of Bug #54589 +++

The regular expression für the UDM syntax gid does not represent what is really meant by the author and what is useful.

" -." does not only allow the characters space, dash and dot but all characters in the ASCII range " " (32) up to "." (46) → see list of wrongly allowed characters below.

IIRC the correct regex would be: u"(?u)^\\w([\\w .-]*\\w)?$"

ALSO: Please check, why single ticks are currently allowed in group names!

Also note: this is a breaking change. We have to find an appropriate release for this change and have to announce this change before! (in case a customer used a lot of e.g. plus signs in group names)

class gid(simple):
	min_length = 1   # TODO: not enforced here
	max_length = 32  # TODO: not enforced here
	regex = re.compile(u"(?u)^\\w([\\w -.’]*\\w)?$")
	# FIXME: The " -." in "[\w -.]" matches the ASCII character range(ord(' '),  ord('.')+1) == range(32, 47)
	error_message = _(
		"A group name must start and end with a letter, number or underscore. In between additionally spaces, dashes "
		"and dots are allowed."
	)

$ python3
>>> for i in range(ord(' '), ord('.')+1): print(i, repr(chr(i)))
... 
32 ' '
33 '!'
34 '"'
35 '#'
36 '$'
37 '%'
38 '&'
39 "'"
40 '('
41 ')'
42 '*'
43 '+'
44 ','
45 '-'
46 '.'
>>> 

root@master:~# udm groups/group create --position cn=groups,$(ucr get ldap/base) --set name="Group (name) + cool2"
Object created: cn=Group (name) \+ cool,cn=groups,dc=dev,dc=nstx,dc=de
Comment 1 Felix Botner univentionstaff 2025-12-11 10:14:07 CET 
cherry-picked

e84befeb173 chore(udm): update advisory
4fb2ae6de19 feat(udm): Allow trailing dash in uid and gid syntaxes

Successful build
Package: univention-directory-manager-modules
Version: 17.4.4
Release: 5.2-0
Scope: errata5.2-4
Comment 2 Florian Best univentionstaff 2025-12-15 23:02:01 CET 
OK: changes to the syntax classes are backwards compatible
OK: syntax allow trailing dash
OK: advisory

FYI: git:51977581d41ebc97361c4708839c980441018d6c adds a univention.testing.strings.random_username_special_characters()
The following chars cannot be used currently:
    '@',  # heimdal kerberos principal name breaks due to duplicated @
    '$',  # not identifyable as users/user
    r'"/\[]:;|=,+*?<>',  # ldap.CONSTRAINT_VIOLATION: "0000202F: samldb: sAMAccountName contains invalid '+' character\n", see https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccountname

Special chars which can be used:
"!#%&'()-.^_`{}~ ´€Ω®½"