why strict_hostname_check treats '+' invalid character

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In apache 2.4.25, there has a new function in vhost.c, strict_hostname_check
https://github.com/apache/httpd/blob/639df4136b46642cdfdc390b34e446501597abba/server/vhost.c#L754

I current get 400 response, if send a request likes the following:
http://abc+def:8088/test/auth.cgi
Base on log, '+' is not a valid character.

I check history and find it comes from the following commit:
https://github.com/apache/httpd/commit/741c7f335bdfb133404baf614ffa03db262b1e48

Is there any one know why strict_hostname_check implements the following rule?
* for the host name in the URL or Host header:
   - if an IPv4 dotted decimal address: Reject octal or hex values, require
     exactly four parts
   - if a DNS host name: Reject non-alphanumeric characters besides '.' and
     '-'. As a side effect, this rejects multiple Host headers.

Is it based on RFC or any other document?

I will appreciate it if any one can share with me.

Thank you
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux