On 2009.11.12 at 10:01:55 -0700, James Yonan wrote: > Victor Wagner wrote: > > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: > > > >> Can you submit a patch (as an email attachment) with this fix? > > Attached > > > > This patch also contains X509_NAME_oneline replacement, which handles > > MSB characters. > > > > I've not checked if this patch applies cleanly to unmodified source. > > I've just diffed original 2.1_rc19 source, imported in our subversion > > repository with current working copy and removed all irrelevant chunks. > > Thanks for putting this together. > > I'm a bit concerned about changing any of the remapping behavior unless > no-name-remapping is specified. I see that in some areas, you test the > no-name-remapping flag before you modify existing behavior, but in other > areas such as my_X509_NAME_oneline, X509_NAME_CHAR_CLASS, and > COMMON_NAME_CHAR_CLASS you don't.
Problem is that existing behavoir seems to be designed without non-ascii alphabets in mind. I think that "preserving existing behavoir" is "exporting alpabetic characters as they are". Since it is quite hard to distinguish between "alphabetic" and "non-alphabetic" outside of ASCII range, and no shell use non-ascii as separators (which is primary reason of remapping), I've considered safe way to treat all 8-bit characters as alphabetic. no-name-remapping has side effects, i.e. disables system method of script execution. So, all non-latin-writting users would face choice - either use their native language and loose some functionality of openvpn or have full fuctionality and loose native languge. Really, I think than name remapping shouldn't be applied to environment variables at all. May be for command line arguments should be protected this way. But people who use environment variables typically are clever enough to handle shell special characters. Moreover, if script is written in some better language than shell (i.e. perl, tcl on even is a C program, which should be probably considered worse language, as it is prone of buffer overflows), or for dlopened plugin same remapping rules are applied.
