[PATCH] Add strict Host validation

Piotr Sikora piotr at cloudflare.com
Fri Dec 19 21:08:52 UTC 2014


Hey Maxim,

> I don't think we should further restrict allowed hostnames solely
> based on what current edition of standard says.  We are more or
> less liberal here, allowing various experiments - and I don't
> think this should be changed without a good reason.

While I agree that there is no real reason for forbidding some of
those characters, I think that Host still should be restricted to at
least printable ASCII characters (minus space and path separators).

I can't think of any reason why would you intentionally allow control
characters in there.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list