Le 22/06/2018 à 11:45, yla...@apache.org a écrit :
Author: ylavic
Date: Fri Jun 22 09:45:39 2018
New Revision: 1834089
[...]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=
After CVE-2016-8743 we only accept hostnames that are valid in DNS,
which notably excludes underscores. But it seems like 7230 does not
require HTTP Host: to use a DNS registry, and excluding '_' should
have broken IDN (punycode) international domain names.
Meanwhile I have seen several reports
> should have broken IDN (punycode) international domain names.
those are obviously dashes, not underscores, so not affected at all.
On Fri, Jun 22, 2018 at 4:42 PM, Eric Covener wrote:
> > should have broken IDN (punycode) international domain names.
>
> those are obviously dashes, not underscores, so not affected at all.
>
That assertion was a bit extreme :) But on principal, underbars are not
valid (internet) DNS, but seem
On Fri, Jun 22, 2018 at 5:13 PM, William A Rowe Jr
wrote:
> On Fri, Jun 22, 2018 at 4:42 PM, Eric Covener wrote:
>
>> > should have broken IDN (punycode) international domain names.
>>
>> those are obviously dashes, not underscores, so not affected at all.
>>
>
> That assertion was a bit extreme
On Fri, Jun 22, 2018 at 11:21 PM, Eric Covener wrote:
>
> [X] Just underscores, which seems to come up alot?
Until other complains, I've never heard of any other so far.
On Sat, Jun 23, 2018 at 12:16 AM, William A Rowe Jr wrote:
>
> (Sub-delims have all sorts of problematic designations, we really want
> to accept a "wildcard" '*' hostname? I'd suggest keep to the known
> "unwise" exceptions, and leave it part of the "unsafe" protocol behavior.)
Marking underscor