httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@locus.apache.org
Subject cvs commit: apache-2.0/src/main http_vhost.c
Date Fri, 10 Nov 2000 01:34:46 GMT
fanf        00/11/09 17:34:46

  Modified:    src      CHANGES
               src/main http_vhost.c
  Log:
  In mass hosting setups (using mod_vhost_alias or mod_rewrite) where
  the hostname is interpolated into the filename, we need to be sure
  that the result of interpolation doesn't expose parts of the
  filesystem that should be private. This was done by checking the
  syntax of the Host: header according to RFC 1123 and RFC 952. However,
  many people have broken configurations that violate this syntax
  (frequently because they use underscores in their names), and it also
  doesn't accommodate the current effort to internationalize the DNS. I
  don't think the former is a compelling reason to relax the syntax
  checking, but the latter does justify this change.
  
  The only RFC on internationalized DNS at the moment is RFC 2825 which
  is an introduction to how difficult the whole thing is; the other
  official documentation is a pile of Internet Drafts produced by the
  Internationalized Domain Names Working Group of the IETF (with names
  starting "draft-ietf-idn-"). However they have very little to say
  about URIs, and the current Internet draft about internationalized
  URIs (draft-masinter-url-i18n-05) has very little to say about
  hostnames :-( On the gripping hand there is some useful information at
  <http://www.apng.org/idns/> where there is some iDNS testbed work
  going on. The basic idea is that although the format of the hostnames
  in the DNS itself remains compatible with RFC 1123, the actual
  hostname presented to the resolver is in UTF8, and therefore the
  hostname in the URL and Host: header is also in UTF8.
  
  This change relaxes the checking so that only character sequences that
  are sensitive to the filesystem are rejected, i.e. forward slashes,
  backward slashes, and sequences of more than one dot.
  
  PR: 6635
  
  Revision  Changes    Path
  1.316     +4 -0      apache-2.0/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/CHANGES,v
  retrieving revision 1.315
  retrieving revision 1.316
  diff -u -u -r1.315 -r1.316
  --- CHANGES	2000/11/09 22:05:40	1.315
  +++ CHANGES	2000/11/10 01:34:46	1.316
  @@ -1,4 +1,8 @@
   Changes with Apache 2.0a8
  +
  +  *) Relax the syntax checking of Host: headers in order to support
  +     iDNS. PR#6635 [Tony Finch]
  +
     *) When reading from file buckets we convert to an MMAP if it makes
        sense.  This also simplifies the default handler because the
        default handler no longer needs to try to create MMAPs.
  
  
  
  1.37      +10 -0     apache-2.0/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/main/http_vhost.c,v
  retrieving revision 1.36
  retrieving revision 1.37
  diff -u -u -r1.36 -r1.37
  --- http_vhost.c	2000/11/10 00:58:25	1.36
  +++ http_vhost.c	2000/11/10 01:34:46	1.37
  @@ -717,6 +717,16 @@
   
   /* Lowercase and remove any trailing dot and/or :port from the hostname,
    * and check that it is sane.
  + *
  + * In most configurations the exact syntax of the hostname isn't
  + * important so strict sanity checking isn't necessary. However, in
  + * mass hosting setups (using mod_vhost_alias or mod_rewrite) where
  + * the hostname is interpolated into the filename, we need to be sure
  + * that the interpolation doesn't expose parts of the filesystem.
  + * We don't do strict RFC 952 / RFC 1123 syntax checking in order
  + * to support iDNS and people who erroneously use underscores.
  + * Instead we just check for filesystem metacharacters: directory
  + * separators / and \ and sequences of more than one dot.
    */
   static void fix_hostname(request_rec *r)
   {
  
  
  

Mime
View raw message