Re: Host header checking too strict?

2018-06-26 Thread William A Rowe Jr
We simply accept them, and let dns reject them when not resolvable. On Tue, Jun 26, 2018, 14:22 Daniel Ferradal wrote: > This was implemented last year in 2.4.24. Much has happened and just a > few strugglers including I, had to deal with it, it seems. > > I remember I mentioned the CVE at wor

Re: Host header checking too strict?

2018-06-26 Thread Daniel Ferradal
This was implemented last year in 2.4.24. Much has happened and just a few strugglers including I, had to deal with it, it seems. I remember I mentioned the CVE at work and that seemed enough for everyone to accept the change and nobody proposes _ in new names since then. IIRC "httpprocotoloptions

Re: Host header checking too strict?

2018-06-25 Thread Roy T. Fielding
> On Jun 25, 2018, at 8:57 AM, William A Rowe Jr wrote: > > On Mon, Jun 25, 2018 at 5:31 AM, Joe Orton > wrote: > On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote: > > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > > which notably excl

Re: Host header checking too strict?

2018-06-25 Thread William A Rowe Jr
On Mon, Jun 25, 2018 at 5:31 AM, Joe Orton wrote: > On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote: > > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > > which notably excludes underscores. But it seems like 7230 does not > > require HTTP Host: to use a DNS re

Re: Host header checking too strict?

2018-06-25 Thread Joe Orton
On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote: > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > which notably excludes underscores. But it seems like 7230 does not > require HTTP Host: to use a DNS registry, and excluding '_' should > have broken IDN (punycod

Re: Host header checking too strict?

2018-06-22 Thread Yann Ylavic
On Sat, Jun 23, 2018 at 12:16 AM, William A Rowe Jr wrote: > > (Sub-delims have all sorts of problematic designations, we really want > to accept a "wildcard" '*' hostname? I'd suggest keep to the known > "unwise" exceptions, and leave it part of the "unsafe" protocol behavior.) Marking underscor

Re: Host header checking too strict?

2018-06-22 Thread Yann Ylavic
On Fri, Jun 22, 2018 at 11:21 PM, Eric Covener wrote: > > [X] Just underscores, which seems to come up alot? Until other complains, I've never heard of any other so far.

Re: Host header checking too strict?

2018-06-22 Thread William A Rowe Jr
On Fri, Jun 22, 2018 at 5:13 PM, William A Rowe Jr wrote: > On Fri, Jun 22, 2018 at 4:42 PM, Eric Covener wrote: > >> > should have broken IDN (punycode) international domain names. >> >> those are obviously dashes, not underscores, so not affected at all. >> > > That assertion was a bit extreme

Re: Host header checking too strict?

2018-06-22 Thread William A Rowe Jr
On Fri, Jun 22, 2018 at 4:42 PM, Eric Covener wrote: > > should have broken IDN (punycode) international domain names. > > those are obviously dashes, not underscores, so not affected at all. > That assertion was a bit extreme :) But on principal, underbars are not valid (internet) DNS, but seem

Re: Host header checking too strict?

2018-06-22 Thread Eric Covener
> should have broken IDN (punycode) international domain names. those are obviously dashes, not underscores, so not affected at all.