Re: [PATCH] Add strict Host validation

2015-01-13 Thread Ruslan Ermilov
On Mon, Jan 12, 2015 at 03:45:03PM -0800, Piotr Sikora wrote: Hey Maxim, I still think it's a no. If needed, allowed characters can be easily restricted by a configuration. Just to make a point: $ curl -I nginx.org HTTP/1.1 200 OK Server: nginx/1.7.7 Date: Mon, 12 Jan 2015

Re: [PATCH] Add strict Host validation

2015-01-12 Thread Maxim Dounin
Hello! On Mon, Jan 05, 2015 at 02:12:04PM -0800, Piotr Sikora wrote: Hey Maxim, While I agree that there is no real reason for forbidding some of those characters, I think that Host still should be restricted to at least printable ASCII characters (minus space and path separators).

Re: [PATCH] Add strict Host validation

2015-01-12 Thread Piotr Sikora
Hey Maxim, I still think it's a no. If needed, allowed characters can be easily restricted by a configuration. Just to make a point: $ curl -I nginx.org HTTP/1.1 200 OK Server: nginx/1.7.7 Date: Mon, 12 Jan 2015 23:42:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8981

Re: [PATCH] Add strict Host validation

2015-01-05 Thread Piotr Sikora
Hey Maxim, While I agree that there is no real reason for forbidding some of those characters, I think that Host still should be restricted to at least printable ASCII characters (minus space and path separators). I can't think of any reason why would you intentionally allow control

Re: [PATCH] Add strict Host validation

2014-12-20 Thread Andrey Kulikov
On 20 December 2014 at 00:08, Piotr Sikora pi...@cloudflare.com wrote: I think that Host still should be restricted to at least printable ASCII In what part of ASCII table? What about host names in national alphabets? ___ nginx-devel mailing list

Re: [PATCH] Add strict Host validation

2014-12-20 Thread Piotr Sikora
Hey Andrey, In what part of ASCII table? US-ASCII, i.e. printable characters are 0x20-0x7E. What about host names in national alphabets? They are not transmitted as such, see RFC3492 (Punycode) and RFC5891 (IDNA). Best regards, Piotr Sikora ___

Re: [PATCH] Add strict Host validation

2014-12-19 Thread Piotr Sikora
Hey Maxim, I don't think we should further restrict allowed hostnames solely based on what current edition of standard says. We are more or less liberal here, allowing various experiments - and I don't think this should be changed without a good reason. While I agree that there is no real

[PATCH] Add strict Host validation

2014-12-17 Thread Piotr Sikora
# HG changeset patch # User Piotr Sikora pi...@cloudflare.com # Date 1418870862 28800 # Wed Dec 17 18:47:42 2014 -0800 # Node ID ab0442e232ce098438943a77422d8a04cc5b6790 # Parent 99751fe3bc3b285801b434f7f707d87fa42b093e Add strict Host validation. According to RFC3986, Host is a sequence of