> -----Ursprüngliche Nachricht----- > Von: Eric Covener <cove...@gmail.com> > Gesendet: Freitag, 22. Juni 2018 23:21 > An: Apache HTTP Server Development List <dev@httpd.apache.org> > Betreff: Host header checking too strict? > > After CVE-2016-8743 we only accept hostnames that are valid in DNS, > which notably excludes underscores. But it seems like 7230 does not > require HTTP Host: to use a DNS registry, and excluding '_' should > have broken IDN (punycode) international domain names. > > Meanwhile I have seen several reports of e.g. departmental servers or > proxypreservehost=off-like failures with hostnames w/ underscores. > > Should we be more tolerant here, or offer an option? > > [ ] No > [X] Just underscores, which seems to come up alot?
Regards Rüdiger
