Am 30.07.2012 22:54, schrieb William A. Rowe Jr.: > What is less clear is what precautions we should take when functioning as > a forward proxy with proxy uri string contents, or presenting user-provided, > non-canonicalized host names. I can imagine such translation being abused to > conceal some forms of XSS exploitation. > > I'd start by assembling a patch to introduce punycode transliteration into the > apr-util library and another patch into httpd for vhost, mass-vhosting using > utf-8 path names, and presenting trusted utf-8 values for our error log and > field tokens. Does anyone have concerns before I begin messing with this > logic?
the idn-code has nothing to search in server-configs they are not in DNS, they are not in mail-servers all on the server level is working with punny-codes and this is good how it is
signature.asc
Description: OpenPGP digital signature
