AAAAARGH.
-
@bagder Always a problem when different systems have different requirements for the handling of something like this; different rules for the handling of the trailing dot, or case sensitivity, or the like. Frustrating that the standards and systems you need to interoperate with, like system hostname resolution, can't agree, so there's never an easy answer.
@unlambda exactly, and that inevitably leads to a security problem somewhere deep in there where we did or did not handle it appropriately...
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder@mastodon.social yup I had some trailing dots to force some things to not do a dns search, then they got coppied into something that did tls, and guess what, that cert does NOT have an alt name with a dot of course not, super fun to track down
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder My take: the HTTP spec is wrong and anyone serving a different site with a trailing dot is insane and shouldn't be accomodated.
-
@bagder@mastodon.social yup I had some trailing dots to force some things to not do a dns search, then they got coppied into something that did tls, and guess what, that cert does NOT have an alt name with a dot of course not, super fun to track down
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder
DNS section is technically incorrect.With and without trailing dot does not necessarily refer to the same ip. The name example.com. always refers to example.com. where as example.com sometimes refers to example.com.internaldomain.tld.
That one bit me when I added a domain with a wildcard A-record to my dns search list. Suddenly example.com.internaldomaon.tld resolved. That caused quite a panic when I suddenly saw my own browser making a ton of requests to domains like doubleclick.net.mydomain.tld. in the webserver logs.
(As you might guess, I use dns blocklist for the big advertising domains, so only the subdomain version resolved).
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder "In 2022, someone found a web site that actually requires a trailing dot in the Host: header [...] and reported it to the curl project. Sigh. We back-pedaled on the eight years old decision and decided to internally keep the dot in the name, but strip it for the purpose of the SNI field. This seems to be how the browsers are doing it. We released curl 7.82.0 with this change. That site that needed the trailing dot kept in the Host: header could now be retrieved with curl. Yay." wow
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder You'll hate me for writing that, but actually you gave the best argument for using trailing dot more often in URLs: "The trailing dot then means the name is to be used actually exactly only like that, it is specified in full, while the name without a trailing dot can be tried with a domain name appended to it." — Just to stop this terrible mess that's caused by DNS lookup suffixes. There should be an RFC banning this ancient and dangerous mechanism.
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
@bagder i remember when http://dk./ was a website.
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
So yes, there is at least one more pending #curl CVE involving trailing dots.
-
So yes, there is at least one more pending #curl CVE involving trailing dots.
@bagder Ugh, reminds me of the trailing spaces vulnerability that windows had for years.
(Please no one tell me it still exists, please. I don't want nightmares.)
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
I think the existence of the PSL is a symptom of a design flaw in how cookies are handled. This is not a curl problem as curl wasn't where cookies originated.
And as for URLs without a trailing dot I think it's a problem that the server doesn't get to know what domain the client appended. Imagine a client simply sending
Host: www. How is the server supposed to know which site the client wants without knowing what the client had appended.The domain search feature is inherently incompatible with the TLS security model. I think it would have made more sense to make the trailing dot mandatory in https URLs as it would have better aligned with the security model of TLS. But I recall having seen cases where adding a trailing dot to https URLs would break things.
I understand that the intention is for curl to handle all of the corner cases correctly, and I think that makes sense for a project like curl. I can imagine how frustrating it can be, and at times I guess you just want to reject those corner cases.
-
So yes, there is at least one more pending #curl CVE involving trailing dots.
Tbh, why don't all URLs just get normalised to have a dot at the end? Do we really want DNS Suffix lists?
That is my most hated "feature" in almost everything that does DNS.
Same?
-
AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot. DNS When a given host name is to be resolved to an … Continue reading A tale of a trailing dot →
daniel.haxx.se (daniel.haxx.se)
-
R relay@relay.infosec.exchange shared this topic
