[PATCH] Add strict Host validation
piotr at cloudflare.com
Fri Dec 19 21:08:52 UTC 2014
> I don't think we should further restrict allowed hostnames solely
> based on what current edition of standard says. We are more or
> less liberal here, allowing various experiments - and I don't
> think this should be changed without a good reason.
While I agree that there is no real reason for forbidding some of
those characters, I think that Host still should be restricted to at
least printable ASCII characters (minus space and path separators).
I can't think of any reason why would you intentionally allow control
characters in there.
More information about the nginx-devel