launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~wgrant/launchpad:security.py-numeric-usernames into launchpad:master

To: mp+380297@xxxxxxxxxxxxxxxxxx
From: William Grant <me@xxxxxxxxxxxxxxxxxx>
Date: Thu, 05 Mar 2020 15:12:25 -0000
Reply-to: mp+380297@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

William Grant has proposed merging ~wgrant/launchpad:security.py-numeric-usernames into launchpad:master.

Commit message:
Fix security.py to not crash on a role name with digits

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/+git/launchpad/+merge/380297

PostgreSQL's aclitem putid emits role names unquoted in safe cases, but
security.py's regex didn't use the same safe set so failed to parse
ACLs involving usernames like "abc123".
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~wgrant/launchpad:security.py-numeric-usernames into launchpad:master.

diff --git a/database/schema/security.py b/database/schema/security.py
index 4e0c917..967790d 100755
--- a/database/schema/security.py
+++ b/database/schema/security.py
@@ -49,7 +49,10 @@ POSTGRES_ACL_MAP = {
     'T': 'TEMPORARY',
     }
 
-QUOTED_STRING_RE = '(?:([a-z_]+)|"([^"]*(?:""[^"]*)*)")?'
+# PostgreSQL's putid emits an unquoted string if every character in the role
+# name isalnum or is _. Otherwise the name is enclosed in double quotes, and
+# any embedded double quotes are doubled.
+QUOTED_STRING_RE = '(?:([A-Za-z0-9_]+)|"([^"]*(?:""[^"]*)*)")?'
 ACLITEM_RE = re.compile('^%(qs)s=([\w*]*)/%(qs)s$' % {'qs': QUOTED_STRING_RE})