git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: Host header checking too strict?



> -----Ursprüngliche Nachricht-----
> Von: Eric Covener <covener@xxxxxxxxx>
> Gesendet: Freitag, 22. Juni 2018 23:21
> An: Apache HTTP Server Development List <dev@xxxxxxxxxxxxxxxx>
> Betreff: Host header checking too strict?
> 
> After CVE-2016-8743 we only accept hostnames that are valid in DNS,
> which notably excludes underscores.  But it seems like 7230 does not
> require HTTP Host: to use a DNS registry, and excluding  '_' should
> have broken IDN (punycode) international domain names.
> 
> Meanwhile I have seen several reports of e.g. departmental servers or
> proxypreservehost=off-like failures with hostnames w/ underscores.
> 
> Should we be more tolerant here, or offer an option?
> 
> [ ] No
> [X] Just underscores, which seems to come up alot?

Regards

Rüdiger



( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache2-developers/msg04224.html on line 93
Call Stack
#TimeMemoryFunctionLocation
10.0010363032{main}( ).../msg04224.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache2-developers/msg04224.html on line 93
Call Stack
#TimeMemoryFunctionLocation
10.0010363032{main}( ).../msg04224.html:0