Can I suggest making sure to use both "canonicalization" and "normalization" to aid searchability?
On Mon, Jan 24, 2022 at 10:23 AM Steven M Christey <co...@mitre.org> wrote: > We’ve noted this request to add a new entry to CWE. MITRE’s content > submission guidelines at > https://cwe.mitre.org/community/submissions/guidelines.html > <https://cwe.mitre.org/community/submissions/guidelines.html#problems> > note that minimum expectations for content submissions should include Name, > Summary, Extended Description, Modes of Introduction, Potential > Mitigations, Common Consequences, Applicable Platforms, Demonstrative > Examples, Observed Examples, Relationships, and References. Incomplete > submissions are frequently a cause of delays for integration into CWE. > > > > Regarding this specific weakness, I agree that CWE-20 and CWE-180 are not > ideal. It is probably better placed under CWE-706: Use of > Incorrectly-Resolved Name or Reference, where an identifier can be provided > that points to an unexpected resource. Common examples are pathname > equivalence CWE-42 for a trailing “.”, CWE-52 with a trailing slash, and > CWE-58 for Windows 8.3 format filenames. > > > > CWE probably does not use the “canonicalization” term as often as it > should, which hurts the ability for users to discover this. Changes will > need to be made to CWE content to make this kind of problem easier for CWE > users to find. > > > > Given how extensively DNS names are used, it seems reasonable for > including this entry as a variant. > > > > Thanks, > > Steve > > > > > > > > *From:* Kurt Seifried <k...@seifried.org> > *Sent:* Monday, January 24, 2022 11:50 AM > *To:* CWE Research Discussion <firstname.lastname@example.org> > *Subject:* New CWE for DNS domain normalization/canonicalization with > trailing dot > > > > New CWE for DNS domain normalization/canonicalization with trailing dot > > > > So we have: > > https://cwe.mitre.org/data/definitions/20.html > > https://cwe.mitre.org/data/definitions/180.html > > > > which are both, broadly speaking, catch-all buckets too broad to be of > much help. > > > > I would like to propose a CWE for "Failure to properly handle DNS names > with or without a trailing dot", e.g.: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0832 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4963 > > > > and Sweden accidentally broke DNS for .se back in 2009 with a dot: > > > https://www.computerworld.com/article/2529045/missing-dot-drops-sweden-off-the-internet.html > > > > And various projects having issues with this spanning many years: > > https://bugs.python.org/issue31997 > > https://github.com/openssl/openssl/issues/11560 > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org