You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Hajo Locke <Ha...@gmx.de> on 2017/01/23 10:06:57 UTC

[users@httpd] apache 2.4 handling of subdomains with unallowed characters

Hello list,

i have some subdomains with unallowed characters, in my case the underscore.

In apache 2.2 subdomains like this worked: sub_domain.domain.com
In apache 2.4 this produces a 400 servererror (bad request)

It seems that apache 2.4's handling of allowed/not allowed chars is more 
strict.

Is there a config-option to relax this behaviour to 2.2 standard? I 
looked but did not find proper directives.
Otherwise i would quit using not allowed chars.

Thanks,
Hajo


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] apache 2.4 handling of subdomains with unallowed characters

Posted by Hajo Locke <Ha...@gmx.de>.

Hello,

Am 24.01.2017 um 07:01 schrieb Nick Kew:
> On Mon, 2017-01-23 at 21:26 +0000, Darryl Philip Baker wrote:
>> DNS doesn\u2019t allow underscore in host and domain names so how a URL
>> with an underscore would have ever worked is beyond me.
> Yeah, but is it the webserver's role to enforce that?
>
> Old answer: be liberal in what you accept.
> New answer: enforce HTTP much more strictly to pre-empt the next
> security alert based on smuggling something through.
>
> In reply to the OP, does HTTPProtocolOptions may be what you're
> looking for, though I haven't verified it.
>
yes, |HttpProtocolOptions is the option i was looking for, Thanks. The 
invalid subdomain is working again.
I am aware of dangers by setting this to unsafe. I will try to avoid 
this und eliminate this invalid hosts.

Thanks,
Hajo
|

Re: [users@httpd] apache 2.4 handling of subdomains with unallowed characters

Posted by Nick Kew <ni...@apache.org>.

On Mon, 2017-01-23 at 21:26 +0000, Darryl Philip Baker wrote:
> DNS doesn\u2019t allow underscore in host and domain names so how a URL
> with an underscore would have ever worked is beyond me.

Yeah, but is it the webserver's role to enforce that?

Old answer: be liberal in what you accept.
New answer: enforce HTTP much more strictly to pre-empt the next
security alert based on smuggling something through.

In reply to the OP, does HTTPProtocolOptions may be what you're
looking for, though I haven't verified it.

-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] apache 2.4 handling of subdomains with unallowed characters

Posted by Darryl Philip Baker <da...@northwestern.edu>.

DNS doesn’t allow underscore in host and domain names so how a URL with an underscore would have ever worked is beyond me.

Darryl Baker
Sr. System Administrator
Northwestern | Information Technology
www.it.northwestern.edu

Re: [users@httpd] apache 2.4 handling of subdomains with unallowed characters

Posted by Erik Dobák <er...@gmail.com>.

also i dont recall to see any URL with _ before. is this spam?
E

On 23 January 2017 at 22:06, Erik Dobák <er...@gmail.com> wrote:

> i don't see any underscores here:
>
> ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
>
> https://tools.ietf.org/html/rfc3986
>
>
> On 23 January 2017 at 11:06, Hajo Locke <Ha...@gmx.de> wrote:
>
>> Hello list,
>>
>> i have some subdomains with unallowed characters, in my case the
>> underscore.
>>
>> In apache 2.2 subdomains like this worked: sub_domain.domain.com
>> In apache 2.4 this produces a 400 servererror (bad request)
>>
>> It seems that apache 2.4's handling of allowed/not allowed chars is more
>> strict.
>>
>> Is there a config-option to relax this behaviour to 2.2 standard? I
>> looked but did not find proper directives.
>> Otherwise i would quit using not allowed chars.
>>
>> Thanks,
>> Hajo
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Re: [users@httpd] apache 2.4 handling of subdomains with unallowed characters

Posted by Erik Dobák <er...@gmail.com>.

i don't see any underscores here:

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

https://tools.ietf.org/html/rfc3986


On 23 January 2017 at 11:06, Hajo Locke <Ha...@gmx.de> wrote:

> Hello list,
>
> i have some subdomains with unallowed characters, in my case the
> underscore.
>
> In apache 2.2 subdomains like this worked: sub_domain.domain.com
> In apache 2.4 this produces a 400 servererror (bad request)
>
> It seems that apache 2.4's handling of allowed/not allowed chars is more
> strict.
>
> Is there a config-option to relax this behaviour to 2.2 standard? I looked
> but did not find proper directives.
> Otherwise i would quit using not allowed chars.
>
> Thanks,
> Hajo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>