Re: svn commit: r1426877 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c server/util.c server/vhost.c

[Eric Covener]

On Sat, Dec 29, 2012 at 8:23 PM,  <s...@apache.org> wrote:
> Author: sf
> Date: Sun Dec 30 01:23:24 2012
> New Revision: 1426877
>
> URL: http://svn.apache.org/viewvc?rev=1426877&view=rev
> Log:
> Add an option to enforce stricter HTTP conformance
>
> Modified: httpd/httpd/trunk/server/vhost.c

> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/vhost.c?rev=1426877&r1=1426876&r2=1426877&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/vhost.c (original)
> +++ httpd/httpd/trunk/server/vhost.c Sun Dec 30 01:23:24 2012
> @@ -735,6 +735,59 @@ static apr_status_t fix_hostname_non_v6(
>      return APR_SUCCESS;
>  }
>
> +/*
> + * If strict mode ever becomes the default, this should be folded into
> + * fix_hostname_non_v6()
> + */
> +static apr_status_t strict_hostname_check(request_rec *r, char *host,
> +                                          int logonly)
> +{
> +    char *ch;
> +    int is_dotted_decimal = 1, leading_zeroes = 0, dots = 0;
> +
> +    for (ch = host; *ch; ch++) {
> +        if (!apr_isascii(*ch)) {
> +            goto bad;
> +        }
> +        else if (apr_isalpha(*ch) || *ch == '-') {
> +            is_dotted_decimal = 0;
> +        }
> +        else if (ch[0] == '.') {
> +            dots++;
> +            if (ch[1] == '0' && apr_isdigit(ch[2]))
> +                leading_zeroes = 1;
> +        }
> +        else if (!apr_isdigit(*ch)) {
> +           /* also takes care of multiple Host headers by denying commas */
> +            goto bad;
> +        }
> +    }
> +    if (is_dotted_decimal) {
> +        if (host[0] == '.' || (host[0] == '0' && apr_isdigit(host[1])))
> +            leading_zeroes = 1;
> +        if (leading_zeroes || dots != 3) {
> +            /* RFC 3986 7.4 */
> +            goto bad;
> +        }
> +    }
> +    else {
> +        /* The top-level domain must start with a letter (RFC 1123 2.1) */
> +        while (ch > host && *ch != '.')
> +            ch--;
> +        if (ch[0] == '.' && ch[1] != '\0' && !apr_isalpha(ch[1]))
> +            goto bad;
> +    }
> +    return APR_SUCCESS;
> +
> +bad:
> +    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
> +                  "[strict] Invalid host name '%s'%s%.6s",
> +                  host, *ch ? ", problem near: " : "", ch);
> +    if (logonly)
> +        return APR_SUCCESS;
> +    return APR_EINVAL;
> +}

(sorry for the necromancy of this very old commit)

Re: the 1123 2.1 reference a dozen lines from the end of the function:
RFC 1123 2.1 seems to say the opposite. Just a bug or something over
my head?

  2.1  Host Names and Numbers

      The syntax of a legal Internet host name was specified in RFC-952
      [DNS:4].  One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit.  Host software MUST support this more liberal
      syntax.