httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: utf-8 -> punycode for ServerName|Alias?
Date Mon, 30 Jul 2012 21:47:13 GMT

Am 30.07.2012 22:54, schrieb William A. Rowe Jr.:
> What is less clear is what precautions we should take when functioning as
> a forward proxy with proxy uri string contents, or presenting user-provided,
> non-canonicalized host names.  I can imagine such translation being abused to
> conceal some forms of XSS exploitation.
> I'd start by assembling a patch to introduce punycode transliteration into the
> apr-util library and another patch into httpd for vhost, mass-vhosting using
> utf-8 path names, and presenting trusted utf-8 values for our error log and
> field tokens.  Does anyone have concerns before I begin messing with this logic?

the idn-code has nothing to search in server-configs

they are not in DNS, they are not in mail-servers
all on the server level is working with punny-codes
and this is good how it is

View raw message