Hello! On Sun, Dec 16, 2018 at 07:18:19PM -0800, Terence Honles wrote:
> # HG changeset patch > # User Terence Honles <tere...@honles.com> > # Date 1542840079 28800 > # Wed Nov 21 14:41:19 2018 -0800 > # Node ID 0763519f3dcce2c68ccd8894dcc02a4d6114b4c2 > # Parent be5cb9c67c05ccaf22dab7abba78aa4c1545a8ee > better constrain IP-literal validation in ngx_http_validate_host() > > The existing validation in ngx_http_validate_host() would allow a IP-literal > such as "[127.0.0.1]" which is invalid according to RFC 3986 (See Appendix A. > for the Collected ABNF). This format is intended for IPv6 and IPv-future not > IPv4. We've considered doing more strict checks when introducing IPv6 literals in e7db97bfac25 (http://hg.nginx.org/nginx/rev/e7db97bfac25), yet decided that: - it doesn't add anything to security, - and may actually harm some future workloads, such as using things like [unix:/path/to/unix.socket]. In particular, it doesn't looks like permitting [127.0.0.1] can be a problem. Do you think that introducing more strict checks can be beneficial? Could you please outline reasons? [...] -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
