[PATCH] better constrain IP-literal validation in ngx_http_validate_host()
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 25 15:42:34 UTC 2018
Hello!
On Mon, Dec 24, 2018 at 01:47:36PM -0800, Terence Honles wrote:
> Yes, the regex will fail for IPv future literals, but I don't believe they are
> being used in practice. When they are, I'm sure the Django project will
> welcome the change to the RegEx.
Sure. The point is that there is no difference between perfectly
valid and invalid literals. Django will complain if it sees
anything it doesn't understand (and that's perfectly fine,
actually).
> As for the configuration you proposed, we are already using that (with a 444
> instead of 404), but the IP literal will still pass through because it is a
> valid match (but an invalid hostname according to RFC 3986).
With the configuration I proposed, names you haven't explicitly
configured with the "server_name" directive will not be sent to
backends. And if you've explicitly configured an invalid name, I
don't see why nginx should refuse doing what it was explicitly
told to do.
Most likely, you've instead configured nginx to pass everything to
Django, and this is what causes errors in your setup. Consider
switching to a more restricted configuration.
Happy holidays.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list