In apache 2.4.25, there has a new function in vhost.c, strict_hostname_check https://github.com/apache/httpd/blob/639df4136b46642cdfdc390b34e446 501597abba/server/vhost.c#L754
I current get 400 response, if send a request likes the following: http://abc+def:8088/test/auth.cgi Base on log, '+' is not a valid character. I check history and find it comes from the following commit: https://github.com/apache/httpd/commit/741c7f335bdfb133404baf614ffa03 db262b1e48 Is there any one know why strict_hostname_check implements the following rule? * for the host name in the URL or Host header: - if an IPv4 dotted decimal address: Reject octal or hex values, require exactly four parts - if a DNS host name: Reject non-alphanumeric characters besides '.' and '-'. As a side effect, this rejects multiple Host headers. Is it based on RFC or any other document? I will appreciate it if any one can share with me. Thank you
