We simply accept them, and let dns reject them when not resolvable.
On Tue, Jun 26, 2018, 14:22 Daniel Ferradal <dferra...@apache.org> wrote: > This was implemented last year in 2.4.24. Much has happened and just a > few strugglers including I, had to deal with it, it seems. > > I remember I mentioned the CVE at work and that seemed enough for > everyone to accept the change and nobody proposes _ in new names since > then. IIRC "httpprocotoloptions unsafe" could override this already. > Hey Eric, we even had a discussion about this at IRC, remember? :) > > So what is the option we would offer instead? > El mar., 26 jun. 2018 a las 0:19, Roy T. Fielding > (<field...@gbiv.com>) escribió: > > > > On Jun 25, 2018, at 8:57 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > On Mon, Jun 25, 2018 at 5:31 AM, Joe Orton <jor...@redhat.com> wrote: > >> > >> On Fri, Jun 22, 2018 at 05:21:08PM -0400, Eric Covener wrote: > >> > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > >> > which notably excludes underscores. But it seems like 7230 does not > >> > require HTTP Host: to use a DNS registry, and excluding '_' should > >> > have broken IDN (punycode) international domain names. > >> > > >> > Meanwhile I have seen several reports of e.g. departmental servers or > >> > proxypreservehost=off-like failures with hostnames w/ underscores. > >> > > >> > Should we be more tolerant here, or offer an option? > >> > > >> > [ ] No > >> > [X] Just underscores, which seems to come up alot? > >> > >> Yup, we had Fedora users complain about this as well after 2.6.25, +1 > >> for underscores in hostnames allowed by default. > > > > > > I'll concur, I see no problem "violating" the spec in this single > respect. > > Note that the same is not true of, say, http field names. There, > ambiguity > > between - and _ due to CGI is an actual problem. > > > > > > The spec is at > > > > https://tools.ietf.org/html/rfc3986#section-3.2.2 > > > > and > > > > > https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#header.host > > > > Whatever we are doing, underscore is allowed by the spec. DNS is > irrelevant here > > because hostnames are not limited to DNS names. > > > > It is reasonable for us to limit Host to be the set of allowed virtual > hosts we are > > willing to match, so we can certainly exclude the weird delimiters, but > we > > don't want to prevent access to hosts we allow to be configured. > > > > BTW, note that the second link above is to the current editors' draft of > HTTP, > > which is being revised now. If anyone wants to reduce the grammar here > or > > elsewhere, now is the time to make it an issue at > > > > https://github.com/httpwg/http-core > > > > Cheers, > > > > ....Roy > > > > > -- > Daniel Ferradal > HTTPD Project > #httpd help at Freenode >
