[PATCH] better constrain IP-literal validation in ngx_http_validate_host()
Terence Honles
terence at honles.com
Mon Feb 25 20:46:00 UTC 2019
I followed up on this, and it is only happening via HTTPs which does not have
the "host guard". When added it performed as expected, Thanks.
On Tue, Dec 25, 2018 at 7:42 AM Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Mon, Dec 24, 2018 at 01:47:36PM -0800, Terence Honles wrote:
>
> > Yes, the regex will fail for IPv future literals, but I don't believe they are
> > being used in practice. When they are, I'm sure the Django project will
> > welcome the change to the RegEx.
>
> Sure. The point is that there is no difference between perfectly
> valid and invalid literals. Django will complain if it sees
> anything it doesn't understand (and that's perfectly fine,
> actually).
>
> > As for the configuration you proposed, we are already using that (with a 444
> > instead of 404), but the IP literal will still pass through because it is a
> > valid match (but an invalid hostname according to RFC 3986).
>
> With the configuration I proposed, names you haven't explicitly
> configured with the "server_name" directive will not be sent to
> backends. And if you've explicitly configured an invalid name, I
> don't see why nginx should refuse doing what it was explicitly
> told to do.
>
> Most likely, you've instead configured nginx to pass everything to
> Django, and this is what causes errors in your setup. Consider
> switching to a more restricted configuration.
>
> Happy holidays.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
More information about the nginx-devel
mailing list