Comment 1 Florian Best 2011-12-08 11:10:54 CET

Variablen mit einem ? oder = im Namen werden ebenfalls nicht verboten.

Comment 2 Dirk Wiesenthal 2012-12-05 12:30:57 CET

(In reply to comment #1)
> Variablen mit einem ? oder = im Namen werden ebenfalls nicht verboten.

Und kommen durch!
Key: "foo=bar", Value="baz" => foo: bar=baz. Mit ? ist die Situation ähnlich: Was vor dem ? steht wird auf das gesetzt, was danach kommt (falls die Variable noch nicht existiert)

Comment 3 Julius Hinrichs 2016-10-12 18:00:33 CEST

Created attachment 8093 [details]
Patch to check new keys

This patch does not accept keys that contain characters other than a-z, A-Z, 0-9, '/', '.', '_', '-'. Also, a key must contain at least one character. 

However, you can still "create" a "new" variable that overwrites the value of an existing key. It should also be checked if the entered key already exists.

Comment 4 Florian Best 2016-10-12 18:23:05 CEST

(In reply to Julius Hinrichs from comment #3)
> Created attachment 8093 [details]
> Patch to check new keys
> 
> This patch does not accept keys that contain characters other than a-z, A-Z,
> 0-9, '/', '.', '_', '-'. Also, a key must contain at least one character. 
> 
> However, you can still "create" a "new" variable that overwrites the value
> of an existing key. It should also be checked if the entered key already
> exists.

The validation should be done in the backend as well.

Comment 5 Julius Hinrichs 2016-10-14 16:16:27 CEST

Created attachment 8107 [details]
Improved patch to check new keys

This patch performs the same character checks both in the frontend and in the backend. Additionally, in the backend, adding a new variable fails if the given key already exists.

Comment 6 Florian Best 2016-10-17 11:01:55 CEST

Created attachment 8113 [details]
python backend patch (without javascript adjustments)

(In reply to Julius Hinrichs from comment #5)
> Created attachment 8107 [details]
> Improved patch to check new keys
> 
> This patch performs the same character checks both in the frontend and in
> the backend. Additionally, in the backend, adding a new variable fails if
> the given key already exists.

The check now checks if the variable is registered via an info file in UCR but not if the variable is already set. This prevents setting unregistered variables like foo/bar. UCR also has a utility function to validate the key. This should be used instead of the regex. Attached is a patch which fixes both.

Comment 7 Arvid Requate 2016-10-17 15:55:58 CEST

> adding a new variable fails if the given key already exists

Do you mean

ucr set foo=bar
ucr set foo=baz

fails? That would break a lot of things.

Comment 8 Julius Hinrichs 2016-10-17 16:34:33 CEST

(In reply to Arvid Requate from comment #7)
> > adding a new variable fails if the given key already exists
> 
> Do you mean
> 
> ucr set foo=bar
> ucr set foo=baz
> 
> fails? That would break a lot of things.

UMC uses "add" for new variables and "put" for existing ones. "ucr set" in the shell should still cover both cases.

Comment 9 Jürn Brodersen 2016-10-17 16:41:19 CEST

*** Bug 41629 has been marked as a duplicate of this bug. ***

Comment 10 Jürn Brodersen 2016-10-17 16:48:48 CEST

The utility function to validate the key didn't work for me.
See bug 41629

Comment 11 Johannes Keiser 2017-07-07 15:44:40 CEST

(In reply to Florian Best from comment #6)
> Created attachment 8113 [details]
> python backend patch (without javascript adjustments)
> 
> (In reply to Julius Hinrichs from comment #5)
> > Created attachment 8107 [details]
> > Improved patch to check new keys
> > 
> > This patch performs the same character checks both in the frontend and in
> > the backend. Additionally, in the backend, adding a new variable fails if
> > the given key already exists.
> 
> The check now checks if the variable is registered via an info file in UCR
> but not if the variable is already set. This prevents setting unregistered
> variables like foo/bar. UCR also has a utility function to validate the key.
> This should be used instead of the regex. Attached is a patch which fixes
> both.

Applied rebased patch:

r 80972
univention-config-registry (12.0.1-6) 
* Bug #25095: Add a check for ": " in validate_key

r 80974
univention-management-console-module-ucr (6.0.1-5) 
* Bug #25095: Applied patch - Show error message if UCR key is not valid
and improve key validation

YAML: r 80975

Comment 12 Florian Best 2017-07-11 14:20:19 CEST

Created attachment 9012 [details]
patch

OK: changes for validate_key(): it's not allowed anymore to set variables containing ": "
# ucr set 'foo: =bar'
Please fix invalid ": " in config registry key "foo: "
Not setting foo: 

REOPEN: Please make the following adjustments:

* Change "key" to "UCR variable name" in the message: "A valid key must contain at least…"
* The check for the already set UCR variable (e.g. apache2/autostart) doesn't work when adding variables.
* I think the "validate" request is unnecessary and should only be done in the "add" / "put" request.
* I think the validation for ": " is not required to be done in the Javascript. Instead the error message from validate_key() should be used.

I attached a patch which does most of the things. TODO: The translation has to be moved to the other .po file. TODO: the check for duplicated variables needs to be fixed.

Comment 13 Johannes Keiser 2017-07-11 16:26:53 CEST

(In reply to Florian Best from comment #12)
> Created attachment 9012 [details]
> patch
> 

Applied patch:

r 81047
univention-management-console-module-ucr (6.0.1-6) 
* Bug #25095: Applied patch from Florian Best - Simplify error handling
and messages

r 81048
univention-config-registry (12.0.1-7) 
* Bug #25095: Improve wording of validate_key error messages

YAML: r 81050

Comment 14 Florian Best 2017-07-11 17:56:56 CEST

Very nice!

OK: YAML

Comment 15 Janek Walkenhorst 2017-07-12 16:49:23 CEST

<http://errata.software-univention.de/ucs/4.2/94.html>
<http://errata.software-univention.de/ucs/4.2/95.html>