[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Host header checking too strict?

On Mon, Jun 25, 2018 at 5:31 AM, Joe Orton <jorton@xxxxxxxxxx> wrote:
On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote:
> After CVE-2016-8743 we only accept hostnames that are valid in DNS,
> which notably excludes underscores.  But it seems like 7230 does not
> require HTTP Host: to use a DNS registry, and excluding  '_' should
> have broken IDN (punycode) international domain names.
> Meanwhile I have seen several reports of e.g. departmental servers or
> proxypreservehost=off-like failures with hostnames w/ underscores.
> Should we be more tolerant here, or offer an option?
> [ ] No
> [X] Just underscores, which seems to come up alot?

Yup, we had Fedora users complain about this as well after 2.6.25, +1
for underscores in hostnames allowed by default.

I'll concur, I see no problem "violating" the spec in this single respect.
Note that the same is not true of, say, http field names. There, ambiguity
between - and _ due to CGI is an actual problem.