-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validate lineage name #9644
validate lineage name #9644
Conversation
Thanks for the PR! I'm currently working through a bit of a backlog of work to do and review, but I plan to get to this myself soon unless someone else on the Certbot team happens to have the time and interest before I do. |
Alright! |
Nice! I agree with you that this needs tests, but I largely like your approach here, especially where you're validating the given certname and how you moved that check before attempting to obtain the certificate. The main thought I have is on what characters should be allowed. I know #6127 (comment) suggested that there are problems with slashes or names starting with a hyphen. What's the problem with a hyphen? As far as I can tell, it's just argparse gets confused:
I personally think this is fine and this PR wouldn't have any effect on this. As far as I can tell, the main problem is path separators. Do you agree? We could do something fancier such as declare a dependency on something like pathvalidate, however, I worry that it's overkill, especially since any extra error conditions here is arguably a breaking change in Certbot. Unless you or anyone else has another case they're especially worried about, I think we should just check for the presence of What do you think? |
The hyphen was indeed included because #6127 mentioned it would be an issue. I have not observed erroneous behavior when This, however, raises the following question: how should I test this? I could write a single test that dynamically generates an illegal name by invoking Therefore, I suggest I create a test by extending the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep! That makes sense. We have tests that run on Linux, macOS, and Windows.
I noticed one small thing but otherwise once this has tests, this LGTM. Thanks NiekPeeters.
…gal-lineagename-fix
Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
…bot into illegal-lineagename-fix
Done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Thanks again!
Fixes #6127.
Added blacklist mechanism for lineage name that avoids characters that are known to cause issues. Check occurs only when creating new lineage; this should avoid introducing a breaking change for lineages with those characters that users may have already created.
Raise an error when illegal lineage name is found; and provides a user-friendly error description on how to resolve the issue. An illegal name shouldn't occur when the lineage name is inferred from the domain names (instead of an explicit
--cert-name
) as domain names shouldn't allow such characters. Nevertheless, this assumption might no longer hold after future adjustments to this blacklist mechanism (or even after introducing a whitelist mechanism), so the shown error description reflects whether the provided--cert-name
contained the illegal name, or whether it was inferred from the domain names.Pull Request Checklist
master
section ofcertbot/CHANGELOG.md
to include a description of the change being made.AUTHORS.md
if you like.