On Mon, Jun 25, 2018 at 5:31 AM, Joe Orton <jor...@redhat.com> wrote:
> On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote: > > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > > which notably excludes underscores. But it seems like 7230 does not > > require HTTP Host: to use a DNS registry, and excluding '_' should > > have broken IDN (punycode) international domain names. > > > > Meanwhile I have seen several reports of e.g. departmental servers or > > proxypreservehost=off-like failures with hostnames w/ underscores. > > > > Should we be more tolerant here, or offer an option? > > > > [ ] No > > [X] Just underscores, which seems to come up alot? > > Yup, we had Fedora users complain about this as well after 2.6.25, +1 > for underscores in hostnames allowed by default. > I'll concur, I see no problem "violating" the spec in this single respect. Note that the same is not true of, say, http field names. There, ambiguity between - and _ due to CGI is an actual problem.