secrets: name validation seems broken

[edsantiago]

This changed in #1541 without any explanation:

// Allowed: 253 [a-zA-Z0-9-_.] characters, and the start and end character must be [a-zA-Z0-9]
-var secretNameRegexp = regexp.Delayed(`^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`)
+var secretNameRegexp = regexp.Delayed("^[^/=\000]+$")

(then slightly tweaked in #1562).

I believe this is really badly broken:

• it disagrees with the comment immediately above it
• it allows almost all ASCII characters: backspace, newline, CR, bell, you get the idea

Maybe the idea was to allow Unicode? If so, this is not the way to do it.

[vrothberg]

@rhatdan PTAL

[rhatdan]

I wanted to allow any character that an be placed on a file or environment variable.

For example an Email address I am willing to add more constraints, but not as strict as it was before.

[rhatdan]

Perhaps eliminate

\p{C} or \p{Other}: invisible control characters and unused code points. 

[vrothberg]

Can we revert the other commit? We're blocked on vendoring c/common into Podman.

[rhatdan]

Why? And no.

[vrothberg]

Why? And no.

As mentioned above, it's blocking c/common from being vendored into c/podman (see containers/podman#19178) for over a week.

[Luap99]

Why? And no.

As mentioned above, it's blocking c/common from being vendored into c/podman (see containers/podman#19178) for over a week.

vendoring was fixed in containers/podman#19187, we have to click rebase on the renovate PRs!

The original motivation seems to be #1494 which links to https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
So I don't see why podman should allow more than that as well.

Container, pod, image, volume names they all are limited in a similar way so why should secret be special?

[vrothberg]

vendoring was fixed in containers/podman#19187, we have to click rebase on the renovate PRs!

Thanks! I didn't notice this PR.