After CVE-2016-8743 we only accept hostnames that are valid in DNS, which notably excludes underscores. But it seems like 7230 does not require HTTP Host: to use a DNS registry, and excluding '_' should have broken IDN (punycode) international domain names.
Meanwhile I have seen several reports of e.g. departmental servers or proxypreservehost=off-like failures with hostnames w/ underscores. Should we be more tolerant here, or offer an option? [ ] No [ ] Just underscores, which seems to come up alot? [ ] all of reg-name? https://tools.ietf.org/html/rfc3986#section-3.2.2 reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" I am tempted on underscores by default, but all of reg-name looks a like a lot that I have never seen someone report any of the other chars. I certainly would not want & coming back in by default. -- Eric Covener [email protected]
