<div dir="ltr"><span id="gmail-result_box" class="gmail-" lang="en"><span class="gmail-">I totally agree</span><span>.</span> <span>Actually,</span> <span>i was going</span> <span></span><span>to submit only</span> <span>a fix with </span></span><span id="gmail-result_box" class="gmail-" lang="en"><span>allowing  underscores in<br>
ngx_http_parse_request_line() .</span> <span>But</span> there were <span>some doubts</span><span>...  <br></span></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 17, 2016 at 11:10 AM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<br>
On Wed, Nov 16, 2016 at 06:36:12PM -0600, Aleksandr Kupriyanov wrote:<br>
<br>
> <<a href="http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg" rel="noreferrer" target="_blank">http://www.google.com/url?q=<wbr>http%3A%2F%2Fwww.instartlogic.<wbr>com%2F&sa=D&sntz=1&usg=<wbr>AFrqEzc4puDXYOgyifEWrSJrJIfW1s<wbr>ViFg</a>><br>
<br>
> # HG changeset patch<br>
> # User Aleksandr Kupriyanov <<a href="mailto:sasha@instartlogic.com">sasha@instartlogic.com</a>><br>
> # Date 1479340749 21600<br>
> # Node ID af947b854971993f318417c70c3818<wbr>147b320a0d<br>
> # Parent  6a26016e9a138102798a7ec3e74747<wbr>fbd6018f82<br>
> Add directive to allow underscores in hostnames<br>
><br>
> Two equivalent requests generate different responses:<br>
><br>
> 1. ---------------<br>
> GET <a href="http://host_1.home/" rel="noreferrer" target="_blank">http://host_1.home/</a> HTTP/1.1<br>
> Host: host_1.home<br>
> ...<br>
> HTTP/1.1 400 Bad Request<br>
> Server: nginx/1.X.XX<br>
> ------------------<br>
><br>
> 2. ---------------<br>
> GET / HTTP/1.1<br>
> Host: host_1.home<br>
> ...<br>
> HTTP/1.1 200 OK<br>
> Server: nginx/1.X.XX<br>
> ------------------<br>
><br>
> To avoid that a new directive is proposed:<br>
><br>
> Syntax: underscores_in_hostname on | off;<br>
> Default: underscores_in_headers off;<br>
> Context: http, server<br>
><br>
> Enables or disables the use of underscores in host names of<br>
> client request line.<br>
><br>
> See a discussion about underscores in DNS here:<br>
> <a href="http://domainkeys.sourceforge.net/underscore.html" rel="noreferrer" target="_blank">http://domainkeys.sourceforge.<wbr>net/underscore.html</a><br>
<br>
Shouldn't we just allow underscores in<br>
ngx_http_parse_request_line() instead?  It doesn't looks like<br>
there are reasons to keep the test that strict.<br>
<br>
In case of underscores_in_headers there a clear security reason:<br>
headers are exposed via the HTTP_* variables in CGI, and via<br>
$http_* variables in nginx itself, and this makes headers with<br>
underscores indistinguishable from ones with dash, and creates an<br>
attack vector.<br>
<br>
I don't see such a problem with underscores in hostname when it's<br>
passed via the request line - especially keeping in mind that we<br>
don't enforce such a limitation via the Host header.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
<br>
______________________________<wbr>_________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx-devel</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><a href="https://sites.google.com/a/instartlogic.com/saleshub/email-signatures/Instart_Logic_Logo_100px-width-50px-height.jpg?attredirects=0" target="_blank"><img src="https://sites.google.com/a/instartlogic.com/saleshub/_/rsrc/1466194631525/email-signatures/Instart_Logic_Logo_100px-width-50px-height.jpg" border="0"></a>    World's First Endpoint-Aware Application Delivery Solution<br>
<br>
<table cellpadding="5" cellspacing="0" width="100%" border="0">
<tbody>
<tr valign="top">
<td style="font-family:Trebuchet MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#333333">  <span><span style="font-family:Trebuchet MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#0079c2"><b>Aleksandr </b></span></span><b></b><span style="font-family:Trebuchet MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#0079c2"><b>Kupriyanov</b><br> <br>
</span>  Email: <a href="mailto:sasha@instartlogic.com" target="_blank">sasha@instartlogic.com</a>  
                                <br>  Instart Logic | 450 Lambert Ave, Palo Alto, CA 94306 | <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg" style="color:#004f8f" target="_blank">instartlogic.com</a>
</td>
</tr>
</tbody>
</table>
</div></div></div></div>
</div>