You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1998/02/02 21:50:22 UTC
Re: cvs commit: apache-1.3/src/main http_vhost.c
Dean wrote,...
> + /* trim a trailing . */
> + l = strlen(host);
> + if (l > 0 && host[l-1] == '.') {
> + host[l-1] = '\0';
> + }
Shouldn't that be a "while" instead of an "if"? My browser has no problems
accessing "http://www.apache.org.../" (note the ellipsis!).
> nslookup www.apache.org...
Server: deejai.mch.sni.de
Address: 139.25.113.10
Non-authoritative answer:
Name: www.apache.org
Address: 204.62.130.149
Only dig has problems:
> dig www.apache.org...
; <<>> DiG 2.2 <<>> www.apache.org...
;; res_mkquery: buffer too small
Just wanted to mention..
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Tue, 3 Feb 1998, Martin Kraemer wrote:
> On Tue, Feb 03, 1998 at 07:51:37PM +0000, Ben Laurie wrote:
> > > The error could even include a link to a guess (ie. strip the extra '.'s),
> > > just not do it automagically.
>
> OTOH, we could do it the other way round: strip of _any_ trailing dots,
> then _always_ add exactly one before doing the resolving. That is
> consistent internally (looks up a host only once) but guarantees that
> all host names are interpreted as absolute.
>
> Silly?
Yes, because it will break when people are relying on the fact that "foo"
is really "foo.znep.com" but znep.com just happens to be my domain and my
machine knows that, so...
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
Not silly on the internet, but silly on intranets. unfortunately.
Dean
On Tue, 3 Feb 1998, Martin Kraemer wrote:
> On Tue, Feb 03, 1998 at 07:51:37PM +0000, Ben Laurie wrote:
> > > The error could even include a link to a guess (ie. strip the extra '.'s),
> > > just not do it automagically.
>
> OTOH, we could do it the other way round: strip of _any_ trailing dots,
> then _always_ add exactly one before doing the resolving. That is
> consistent internally (looks up a host only once) but guarantees that
> all host names are interpreted as absolute.
>
> Silly?
>
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Tue, Feb 03, 1998 at 07:51:37PM +0000, Ben Laurie wrote:
> > The error could even include a link to a guess (ie. strip the extra '.'s),
> > just not do it automagically.
OTOH, we could do it the other way round: strip of _any_ trailing dots,
then _always_ add exactly one before doing the resolving. That is
consistent internally (looks up a host only once) but guarantees that
all host names are interpreted as absolute.
Silly?
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Ben Laurie <be...@algroup.co.uk>.
Marc Slemko wrote:
>
> On Mon, 2 Feb 1998, Randy Terbush wrote:
>
> > Brian Behlendorf <br...@organic.com> wrote:
> > > At 12:02 AM 2/3/98 +0100, Lars Eilebrecht wrote:
> > > >According to Dean Gaudet:
> > > >
> > > >> The "world" may not be correct. I don't know what the right handling is
> > > >> for those things.
> > > >
> > > >BTW, Squid automatically removes and trailing dots.
> > >
> > > I fear a world where folks put multiple trailing dots in URL's thinking
> > > they're a correct thing to do "because it works for me".
> > >
> > > I advocate returning an error if there's more than one trailing dot, say
> > > 400 for bad request, with an explanation why.
> >
> > Now there is a briliant idea.. :-)
> > Makes sense to me.
> >
>
> But multiple trailing '.'s may be valid.
Don't be silly.
> I can't find anything that says
> they are, and all I can find only talks about the single trailing .; since
> after all, that is simply the root zone being added. But... DNS RFCs are
> ... complex.
>
> The error could even include a link to a guess (ie. strip the extra '.'s),
> just not do it automagically.
Yeah.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Mon, 2 Feb 1998, Randy Terbush wrote:
> Brian Behlendorf <br...@organic.com> wrote:
> > At 12:02 AM 2/3/98 +0100, Lars Eilebrecht wrote:
> > >According to Dean Gaudet:
> > >
> > >> The "world" may not be correct. I don't know what the right handling is
> > >> for those things.
> > >
> > >BTW, Squid automatically removes and trailing dots.
> >
> > I fear a world where folks put multiple trailing dots in URL's thinking
> > they're a correct thing to do "because it works for me".
> >
> > I advocate returning an error if there's more than one trailing dot, say
> > 400 for bad request, with an explanation why.
>
> Now there is a briliant idea.. :-)
> Makes sense to me.
>
But multiple trailing '.'s may be valid. I can't find anything that says
they are, and all I can find only talks about the single trailing .; since
after all, that is simply the root zone being added. But... DNS RFCs are
... complex.
The error could even include a link to a guess (ie. strip the extra '.'s),
just not do it automagically.
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Randy Terbush <ra...@covalent.net>.
Brian Behlendorf <br...@organic.com> wrote:
> At 12:02 AM 2/3/98 +0100, Lars Eilebrecht wrote:
> >According to Dean Gaudet:
> >
> >> The "world" may not be correct. I don't know what the right handling is
> >> for those things.
> >
> >BTW, Squid automatically removes and trailing dots.
>
> I fear a world where folks put multiple trailing dots in URL's thinking
> they're a correct thing to do "because it works for me".
>
> I advocate returning an error if there's more than one trailing dot, say
> 400 for bad request, with an explanation why.
Now there is a briliant idea.. :-)
Makes sense to me.
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Tue, Feb 03, 1998 at 11:50:37AM -0800, Dean Gaudet wrote:
> But that still doesn't solve the bug Marc brought up.
>
> http://twinlark./ should fail, it shouldn't match a "ServerAlias twinlark"
Oh well, another can of worms.
The matching of "config words" to server names, domain substrings, glob
patterns and regex patterns is, to say it mildly, catastrophic in apache.
You probably hit a "regex"-'.' or anything. There are loads of "strstr"
matches in the code, especially in the proxy module. When I added the
NoProxy directive, I tried to resolve part of this by defining a precise
syntax for
- domain names (and how they're matched)
- IP Addrs (and how they're matched)
- SubnetAdds (and how they're matched)
- Host Names (and how they're matched)
- all the rest (and how it's matched)
These "config word" matches should _ALL_ be precisely defined, and best
handled in a set of central routines, for each of the classes of "config
words" we want to handle.
And there should be a syntax to write "I want this word to be a glob
pattern" or "this word is an IP subnet" etc.
I hope you understand what I'm so angry about when you have a look at
mod_proxy.html:
The NoCache directive specifies a list of words, hosts and/or
domains, separated by spaces. HTTP and non-passworded FTP documents
from matched words, hosts or domains are _not_ cached by the proxy
server. The proxy module will also attempt to determine IP addresses
of list items which may be hostnames during startup, and cache them
for match test as well.
How would _you_ program a match for "a list of words, hosts and/or
domains"?
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
But that still doesn't solve the bug Marc brought up.
http://twinlark./ should fail, it shouldn't match a "ServerAlias twinlark"
Dean
On Tue, 3 Feb 1998, Martin Kraemer wrote:
> On Mon, Feb 02, 1998 at 04:05:03PM -0800, Brian Behlendorf wrote:
> >
> > I fear a world where folks put multiple trailing dots in URL's thinking
> > they're a correct thing to do "because it works for me".
>
> In fact, it's often used "to cheat the cache" :-(
>
> > I advocate returning an error if there's more than one trailing dot, say
> > 400 for bad request, with an explanation why.
>
> Good point. +1.
>
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Mon, Feb 02, 1998 at 04:05:03PM -0800, Brian Behlendorf wrote:
>
> I fear a world where folks put multiple trailing dots in URL's thinking
> they're a correct thing to do "because it works for me".
In fact, it's often used "to cheat the cache" :-(
> I advocate returning an error if there's more than one trailing dot, say
> 400 for bad request, with an explanation why.
Good point. +1.
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Brian Behlendorf <br...@organic.com>.
At 12:02 AM 2/3/98 +0100, Lars Eilebrecht wrote:
>According to Dean Gaudet:
>
>> The "world" may not be correct. I don't know what the right handling is
>> for those things.
>
>BTW, Squid automatically removes and trailing dots.
I fear a world where folks put multiple trailing dots in URL's thinking
they're a correct thing to do "because it works for me".
I advocate returning an error if there's more than one trailing dot, say
400 for bad request, with an explanation why.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
specialization is for insects brian@organic.com
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Lars Eilebrecht:
> > "nslookup valis." should fail even though "nslookup valis" works.
Doh! I need more coffee... <:-)
> At least Squid 1.2b removes every trailing slash and would
^^^^^
s/slash/dot/
> attach the local to both "valis." and "valis".
^^^^^
s/local/local domain/
ciao...
--
Lars Eilebrecht - I`m the person,
sfx@unix-ag.org - your mother always warned you about!
http://www.si.unix-ag.org/~sfx/
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Marc Slemko:
> > BTW, Squid automatically removes and trailing dots.
>
> But does it do it correctly?
>
> "nslookup valis." should fail even though "nslookup valis" works.
At least Squid 1.2b removes every trailing slash and would
attach the local to both "valis." and "valis".
ciao...
--
Lars Eilebrecht - "A fail-safe circuit will destroy others."
sfx@unix-ag.org
http://www.si.unix-ag.org/~sfx/
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Mon, 2 Feb 1998, Dean Gaudet wrote:
> On Mon, 2 Feb 1998, Marc Slemko wrote:
>
> > On Mon, 2 Feb 1998, Dean Gaudet wrote:
> >
> > > On Mon, 2 Feb 1998, Marc Slemko wrote:
> > >
> > > > "nslookup valis." should fail even though "nslookup valis" works.
> > >
> > > "nslookup valid." should fail, because the trailing . is an anchor to the
> > > root, it avoids local search rules.
> >
> > Exactly, but the point is that to preserve this you can't just strip
> > trailing '.'s.
>
> Oh. That's an excellent point. Ugh.
>
> Does anyone see a solution that doesn't involve the lame-ass DNS lookups
> that cause DoS? (the same ones that I'm trying to get rid of right now)
>
> My head hurts.
There is no solution except drinking lots of beer, then you stop worrying
about it for some reason.
What we can do is say that we do _NOT_ allow normal DNS names in
(whereever we need to do this), but we require that they be in this (ie.
no names rooted by a trailing '.') form and we will do that (ie. strip or
not strip trailing '.'s) with them.
Then we can do what we want and not be against any specs because we are
doing our own thing. <g>
What we are stuck with is the fact that there is no canonical form for a
DNS name that can be found without doing lookups; you can argue that even
with lookups we can't.
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
On Mon, 2 Feb 1998, Marc Slemko wrote:
> On Mon, 2 Feb 1998, Dean Gaudet wrote:
>
> > On Mon, 2 Feb 1998, Marc Slemko wrote:
> >
> > > "nslookup valis." should fail even though "nslookup valis" works.
> >
> > "nslookup valid." should fail, because the trailing . is an anchor to the
> > root, it avoids local search rules.
>
> Exactly, but the point is that to preserve this you can't just strip
> trailing '.'s.
Oh. That's an excellent point. Ugh.
Does anyone see a solution that doesn't involve the lame-ass DNS lookups
that cause DoS? (the same ones that I'm trying to get rid of right now)
My head hurts.
Dean
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Mon, 2 Feb 1998, Dean Gaudet wrote:
>
>
> On Mon, 2 Feb 1998, Marc Slemko wrote:
>
> > "nslookup valis." should fail even though "nslookup valis" works.
>
> "nslookup valid." should fail, because the trailing . is an anchor to the
> root, it avoids local search rules.
Exactly, but the point is that to preserve this you can't just strip
trailing '.'s.
>
> > "nslookup valis.worldgate.com" and "nslookup valis.worldgate.com." should
> > do the same thing.
>
> Dean
>
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
On Mon, 2 Feb 1998, Marc Slemko wrote:
> "nslookup valis." should fail even though "nslookup valis" works.
"nslookup valid." should fail, because the trailing . is an anchor to the
root, it avoids local search rules.
> "nslookup valis.worldgate.com" and "nslookup valis.worldgate.com." should
> do the same thing.
Dean
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Marc Slemko <ma...@worldgate.com>.
On Tue, 3 Feb 1998, Lars Eilebrecht wrote:
> According to Dean Gaudet:
>
> > The "world" may not be correct. I don't know what the right handling is
> > for those things.
>
> BTW, Squid automatically removes and trailing dots.
But does it do it correctly?
"nslookup valis." should fail even though "nslookup valis" works.
"nslookup valis.worldgate.com" and "nslookup valis.worldgate.com." should
do the same thing.
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Dean Gaudet:
> The "world" may not be correct. I don't know what the right handling is
> for those things.
BTW, Squid automatically removes and trailing dots.
ciao...
--
Lars Eilebrecht - "If you can't make it good,
sfx@unix-ag.org - make it LOOK good." (Bill Gates)
http://www.si.unix-ag.org/~sfx/
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
The "world" may not be correct. I don't know what the right handling is
for those things. But consider this:
% dig twinlark.arctic.org.
success
% dig twinlark.arctic.org..
success
% dig twinlark.arctic.org...
failure
I've no idea why. But I trust dig more than I trust other DNS programs.
% nslookup twinlark.arctic.org...
success
% nslookup twinlark.arctic.org....
failure
This is with bind-8.1.1 tools and server.
All I know for certain is that a single trailing . has meaning and should
be stripped, and that's what the code does now.
Dean
On Mon, 2 Feb 1998, Martin Kraemer wrote:
> On Mon, Feb 02, 1998 at 01:06:28PM -0800, Dean Gaudet wrote:
> > I haven't dug into the DNS rfcs but I believe that "abc.." is different
> > from "abc." ... I think only one trailing . has significance (to root the
> > request without doing local searching). If someone has a chance to dig
> > into the rfcs that'd be great.
>
> Okay, then try this:
> <URL:http://dev.apache.org.../>
> and look where you land: it's the right "host", but not the right "VHost".
>
> So I assume when the world wide routing can cope with it, so should we...
>
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Mon, Feb 02, 1998 at 01:06:28PM -0800, Dean Gaudet wrote:
> I haven't dug into the DNS rfcs but I believe that "abc.." is different
> from "abc." ... I think only one trailing . has significance (to root the
> request without doing local searching). If someone has a chance to dig
> into the rfcs that'd be great.
Okay, then try this:
<URL:http://dev.apache.org.../>
and look where you land: it's the right "host", but not the right "VHost".
So I assume when the world wide routing can cope with it, so should we...
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: cvs commit: apache-1.3/src/main http_vhost.c
Posted by Dean Gaudet <dg...@arctic.org>.
I haven't dug into the DNS rfcs but I believe that "abc.." is different
from "abc." ... I think only one trailing . has significance (to root the
request without doing local searching). If someone has a chance to dig
into the rfcs that'd be great.
Dean
On Mon, 2 Feb 1998, Martin Kraemer wrote:
> Dean wrote,...
> > + /* trim a trailing . */
> > + l = strlen(host);
> > + if (l > 0 && host[l-1] == '.') {
> > + host[l-1] = '\0';
> > + }
>
> Shouldn't that be a "while" instead of an "if"? My browser has no problems
> accessing "http://www.apache.org.../" (note the ellipsis!).
>
> > nslookup www.apache.org...
> Server: deejai.mch.sni.de
> Address: 139.25.113.10
>
> Non-authoritative answer:
> Name: www.apache.org
> Address: 204.62.130.149
>
> Only dig has problems:
> > dig www.apache.org...
> ; <<>> DiG 2.2 <<>> www.apache.org...
> ;; res_mkquery: buffer too small
>
> Just wanted to mention..
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>