[PATCH] better constrain IP-literal validation in ngx_http_validate_host()
mdounin at mdounin.ru
Mon Dec 24 12:58:59 UTC 2018
On Fri, Dec 21, 2018 at 11:59:27AM -0800, Terence Honles wrote:
> The reason I came across this code was I have NGINX handling HTTPS, and
> proxying to Django via uWSGI. Django has the following RegEx _. Which is is
> compliant with the IPv6 literal notation, but causes Django to report an
Well, as far as I see the regex in question will also report an
error for perfectly valid IPvFuture literals.
> While I agree, there may not be an issue of security; Any down stream systems
> may be confused and unable to handle a malformed hostname.
If you want to prevent such names from hitting your backend
servers, a better solution might be to configure nginx to only
accept explicitly configured host names (including IP literals).
This is more or less trivial to configure and something you
probably should do anyway unless you are still supporting
pre-Host-header clients. E.g.:
listen 80 default;
> Another alternative would be to rewrite the hostname to not
> include the "[" and "]" if it is not a valid IPv6 literal,
Well, this _will_ be a security issue, since it can easily result
in different processing of names in nginx and backends.
More information about the nginx-devel