#755 pkispawn interpolation doesn't handle values that contain '%'
Closed: Fixed None Opened 9 years ago by nkinder.

If I create a pkispawn deployment config file that has a value with a '%' in it, the interpolation code throws an exception. For example, I created the following deployment file that uses a '%' character in the passwords:


[DEFAULT]
pki_admin_password=Secret%12
pki_client_pkcs12_password=Secret%12
pki_ds_password=Secret%12

If I then attempt to run pkispawn, I encounter this exception:


$ sudo pkispawn -s CA -f /home/nkinder/ca.cfg 
Loading deployment configuration from /home/nkinder/ca.cfg.
Traceback (most recent call last):
  File "/sbin/pkispawn", line 429, in <module>
    main(sys.argv)
  File "/sbin/pkispawn", line 320, in main
    parser.compose_pki_master_dictionary()
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line 454, in compose_pki_master_dictionary
    self.flatten_master_dict()
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line 333, in flatten_master_dict
    default_dict = dict(self.pki_config.items('DEFAULT'))
  File "/usr/lib64/python2.7/ConfigParser.py", line 655, in items
    for option in options]
  File "/usr/lib64/python2.7/ConfigParser.py", line 691, in _interpolate
    self._interpolate_some(option, L, rawval, section, vars, 1)
  File "/usr/lib64/python2.7/ConfigParser.py", line 732, in _interpolate_some
    "'%%' must be followed by '%%' or '(', found: %r" % (rest,))
ConfigParser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%12'


There is an easy solution to using '%' in values in the pkispawn deployment file. The '%' character is used for interpolation in Python's ConfigParser class. To use a '%' character in a config value where you are not trying to do interpolation, you simply need to escape the character with a second '%'. For example, the following pkispawn deployment file works fine:


[DEFAULT]
pki_admin_password=Secret%%12
pki_client_pkcs12_password=Secret%%12
pki_ds_password=Secret%%12


The solution might just be to document that escaping is needed for '%' characters in pkispawn deployment files.

I attempted an interactive creation of a CA using pkispawn, and it seems to work fine when the passwords use '%' characters, so it seems that it is already internally escaping values.

In addition to documenting that '%' characters must be escaped in deployment files in the pkispawn manpage, we should also try to print a helpful error message when we encounter an unescaped '%' character. It would be much more helpful if pkispawn said something like:

"Encountered an unescaped '%' character in <deployment file>. You must escape '%' characters in deployment file values (example - 'setting=some%%value')."

Pushed to master. Thanks to Ade for his review!

master - 443159f77e87a70bc85ab85f5ad58b9169def88a

Metadata Update from @nkinder:
- Issue set to the milestone: N/A

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1322

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata