On 2009.11.12 at 19:25:16 +0100, David Sommerseth wrote: > > no-name-remapping has side effects, i.e. disables system method of > > script execution. > > I'd have to disagree here. OpenVPN should not change the default > behaviour at all, as that can break a lot of already implemented > installations if the default remapping goes away. And forcing values to > stay inside the 7bit ASCII region is most likely the expected behaviour > as well.
I doubt so. If you don't believe me, ask someone whose native language is French or German and who has characters with umlauts in his name - does he like this character to be replaced with underscore. Even for Western Europe restricting character set of certificates to 7-bit is the source of problem, not to mention rest of world, where any name would be replaced by string of underscores. If someone want to limit characters allowed in the certificates, it should be done on the CA level, not when parsing certificates. On this level only reason to map characters is to prevent common mistakes in the shell script. Characters outside of ASCII range never can be misinterpreted by shells, so they should be allowed. > > Really, I think than name remapping shouldn't be applied to environment > > variables at all. May be for command line arguments should be protected > > this way. But people who use environment variables typically are clever > > enough to handle shell special characters. > > I am willing to agree with you to some extent here, but OpenVPN cannot > change the current default behaviour of remapping. This would have to > be thought of when this feature was initially implemented in OpenVPN, > now it is too late to change the defaults. It is possible to add ADDITIONAL configuration directive such as --allow-unicode-in-names, which doesn't have such side-effect as no-name-remapping does now. But I think that this should be enabled by default. If someone cannot handle normal letters, he can disable them. > Unfortunately, not many thinks about characters outside the standard > 7bit ASCII. I've even experienced developers who got non-ASCII Just all Russia, all Japan and all China. We just got too tired of persuading english speaking developers, that world is somewhat bigger than Northern America and often prefer to fork and maintain our own localized version of software.