httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <...@dotat.at>
Subject Re: Hostname syntax, iDNS, filename safety
Date Sun, 05 Nov 2000 02:57:09 GMT
"William A. Rowe, Jr." <wrowe@rowe-clan.net> wrote:
>
>  I thought the list's concensus was ... this is fine iff we allow this
>behavior with a config escape.  I frankly don't care if it defaults to
>relaxed, and is configurable to strict.  I'm +0 either which way, since
>I wasn't clear what strict dns name enforcement brought to the table.
>Would someone enlighten me?

I think the strict syntax checking is mostly me being pig-headed --
several people disagree with it. The comment on the commit message
will be as follows; I just want the last paragraph sanity-checked :-)

: In mass hosting setups (using mod_vhost_alias or mod_rewrite) where
: the hostname is interpolated into the filename, we need to be sure
: that the result of interpolation doesn't expose parts of the
: filesystem that should be private. This was done by checking the
: syntax of the Host: header according to RFC 1123 and RFC 952. However,
: many people have broken configurations that violate this syntax
: (frequently because they use underscores in their names), and it also
: doesn't accommodate the current effort to internationalize the DNS. I
: don't think the former is a compelling reason to relax the syntax
: checking, but the latter does justify this change.
: 
: The only RFC on internationalized DNS at the moment is RFC 2825 which
: is an introduction to how difficult the whole thing is; the other
: official documentation is a pile of Internet Drafts produced by the
: Internationalized Domain Names Working Group of the IETF (with names
: starting "draft-ietf-idn-"). However they have very little to say
: about URIs, and the current Internet draft about internationalized
: URIs (draft-masinter-url-i18n-05) has very little to say about
: hostnames :-( However there is some useful information at
: <http://www.apng.org/idns/> where there is some iDNS testbed work
: going on. The basic idea is that although the format of the hostnames
: in the DNS itself remains compatible with RFC 1123, the actual
: hostname presented to the resolver is in UTF8, and therefore the
: hostname in the URL and Host: header is also in UTF8.
: 
: This change relaxes the checking so that only character sequences that
: are sensitive to the filesystem are rejected, i.e. forward slashes,
: backward slashes, and sequences of more than one dot.

Tony.
-- 
en oeccget g mtcaa    f.a.n.finch
v spdlkishrhtewe y    dot@dotat.at
eatp o v eiti i d.    fanf@covalent.net

Mime
View raw message