Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin
December 17, 2018 11:18AM
Hello!

On Sun, Dec 16, 2018 at 07:18:19PM -0800, Terence Honles wrote:

> # HG changeset patch
> # User Terence Honles <terence@honles.com>
> # Date 1542840079 28800
> # Wed Nov 21 14:41:19 2018 -0800
> # Node ID 0763519f3dcce2c68ccd8894dcc02a4d6114b4c2
> # Parent be5cb9c67c05ccaf22dab7abba78aa4c1545a8ee
> better constrain IP-literal validation in ngx_http_validate_host()
>
> The existing validation in ngx_http_validate_host() would allow a IP-literal
> such as "[127.0.0.1]" which is invalid according to RFC 3986 (See Appendix A.
> for the Collected ABNF). This format is intended for IPv6 and IPv-future not
> IPv4.

We've considered doing more strict checks when introducing IPv6
literals in e7db97bfac25 (http://hg.nginx.org/nginx/rev/e7db97bfac25),
yet decided that:

- it doesn't add anything to security,
- and may actually harm some future workloads, such as using
things like [unix:/path/to/unix.socket].

In particular, it doesn't looks like permitting [127.0.0.1] can be
a problem.

Do you think that introducing more strict checks can be
beneficial? Could you please outline reasons?

[...]

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 223 December 16, 2018 10:20PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 59 December 17, 2018 11:18AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 60 December 21, 2018 03:00PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 75 December 24, 2018 08:00AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 59 December 24, 2018 04:48PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 60 December 24, 2018 05:12PM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Maxim Dounin 78 December 25, 2018 10:44AM

Re: [PATCH] better constrain IP-literal validation in ngx_http_validate_host()

Terence Honles 53 February 25, 2019 03:48PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 86
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready