You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2020/01/31 12:28:57 UTC

another strict host checking loosening?

This vhost.c check blocks example.123 as a Host hader:

    else {
        /* The top-level domain must start with a letter (RFC 1123 2.1) */
        while (ch > host && *ch != '.')
            ch--;
        if (ch[0] == '.' && ch[1] != '\0' && !apr_isalpha(ch[1]))
            goto bad;
    }

The intention 1123 2.1 is to avoid ambiguity with dotted quad
representations of IP addresses.  Would it be reasonable to test any
other component or count the "." as we go to accept these as long as
there is no ambiguity, still under strict?

Re: another strict host checking loosening?

Posted by Eric Covener <co...@gmail.com>.

On Fri, Jan 31, 2020 at 7:28 AM Eric Covener <co...@gmail.com> wrote:
>
> This vhost.c check blocks example.123 as a Host hader:
>
>     else {
>         /* The top-level domain must start with a letter (RFC 1123 2.1) */
>         while (ch > host && *ch != '.')
>             ch--;
>         if (ch[0] == '.' && ch[1] != '\0' && !apr_isalpha(ch[1]))
>             goto bad;
>     }
>
> The intention 1123 2.1 is to avoid ambiguity with dotted quad
> representations of IP addresses.  Would it be reasonable to test any
> other component or count the "." as we go to accept these as long as
> there is no ambiguity, still under strict?

Duh. we already keep track of if we've seen a non dotted quad
character and the else { } above is only when we know it wasn't.
Should this check be dropped entirely?  It only comes from a
DISCUSSION section of 1123 2.1.

-- 
Eric Covener
covener@gmail.com