[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Host header checking too strict?

On Fri, Jun 22, 2018 at 5:13 PM, William A Rowe Jr <wrowe@xxxxxxxxxxxxx> wrote:
On Fri, Jun 22, 2018 at 4:42 PM, Eric Covener <covener@xxxxxxxxx> wrote:
> should have broken IDN (punycode) international domain names.

those are obviously dashes, not underscores, so not affected at all.

That assertion was a bit extreme :) But on principal, underbars are not
valid (internet) DNS, but seem widely deployed in the intranet, notably
a certain M$ who has actively endorsed and promoted them to sysadmins.

I'd say let them pass, in that it shouldn't matter if a_b isn't resolvable
any more or less than axb is resolvable. There is no ambiguity in the
designation that I'm aware of.

(Sub-delims have all sorts of problematic designations, we really want
to accept a "wildcard" '*' hostname? I'd suggest keep to the known
"unwise" exceptions, and leave it part of the "unsafe" protocol behavior.)