[PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin mdounin at mdounin.ru
Mon Dec 17 16:17:40 UTC 2018


On Sun, Dec 16, 2018 at 07:18:19PM -0800, Terence Honles wrote:

> # HG changeset patch
> # User Terence Honles <terence at honles.com>
> # Date 1542840079 28800
> #      Wed Nov 21 14:41:19 2018 -0800
> # Node ID 0763519f3dcce2c68ccd8894dcc02a4d6114b4c2
> # Parent  be5cb9c67c05ccaf22dab7abba78aa4c1545a8ee
> better constrain IP-literal validation in ngx_http_validate_host()
> The existing validation in ngx_http_validate_host() would allow a IP-literal
> such as "[]" which is invalid according to RFC 3986 (See Appendix A.
> for the Collected ABNF). This format is intended for IPv6 and IPv-future not
> IPv4.

We've considered doing more strict checks when introducing IPv6 
literals in e7db97bfac25 (http://hg.nginx.org/nginx/rev/e7db97bfac25), 
yet decided that:

- it doesn't add anything to security,
- and may actually harm some future workloads, such as using 
  things like [unix:/path/to/unix.socket].

In particular, it doesn't looks like permitting [] can be 
a problem.

Do you think that introducing more strict checks can be 
beneficial?  Could you please outline reasons?


Maxim Dounin

More information about the nginx-devel mailing list