httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hajo Locke <>
Subject Re: [users@httpd] apache 2.4 handling of subdomains with unallowed characters
Date Tue, 24 Jan 2017 07:27:21 GMT

Am 24.01.2017 um 07:01 schrieb Nick Kew:
> On Mon, 2017-01-23 at 21:26 +0000, Darryl Philip Baker wrote:
>> DNS doesn’t allow underscore in host and domain names so how a URL
>> with an underscore would have ever worked is beyond me.
> Yeah, but is it the webserver's role to enforce that?
> Old answer: be liberal in what you accept.
> New answer: enforce HTTP much more strictly to pre-empt the next
> security alert based on smuggling something through.
> In reply to the OP, does HTTPProtocolOptions may be what you're
> looking for, though I haven't verified it.
yes, |HttpProtocolOptions is the option i was looking for, Thanks. The 
invalid subdomain is working again.
I am aware of dangers by setting this to unsafe. I will try to avoid 
this und eliminate this invalid hosts.


View raw message