AAAAARGH.

Reply to AAAAARGH. on Thu, 14 May 2026 12:23:31 GMT

byteborg@chaos.social — Thu, 14 May 2026 12:23:31 GMT

@bagder yes, HTTP is broken in this regard, right from the start.
@catsalad

Reply to AAAAARGH. on Thu, 14 May 2026 11:42:21 GMT

agowa338@chaos.social — Thu, 14 May 2026 11:42:21 GMT

@bagder

Tbh, why don't all URLs just get normalised to have a dot at the end? Do we really want DNS Suffix lists?

That is my most hated "feature" in almost everything that does DNS.

Same?

Reply to AAAAARGH. on Thu, 14 May 2026 10:18:35 GMT

kasperd@westergaard.social — Thu, 14 May 2026 10:18:35 GMT

I think the existence of the PSL is a symptom of a design flaw in how cookies are handled. This is not a curl problem as curl wasn't where cookies originated.

And as for URLs without a trailing dot I think it's a problem that the server doesn't get to know what domain the client appended. Imagine a client simply sending Host: www. How is the server supposed to know which site the client wants without knowing what the client had appended.

The domain search feature is inherently incompatible with the TLS security model. I think it would have made more sense to make the trailing dot mandatory in https URLs as it would have better aligned with the security model of TLS. But I recall having seen cases where adding a trailing dot to https URLs would break things.

I understand that the intention is for curl to handle all of the corner cases correctly, and I think that makes sense for a project like curl. I can imagine how frustrating it can be, and at times I guess you just want to reject those corner cases.

Reply to AAAAARGH. on Thu, 14 May 2026 09:30:37 GMT

nosirrahsec@infosec.exchange — Thu, 14 May 2026 09:30:37 GMT

@bagder Ugh, reminds me of the trailing spaces vulnerability that windows had for years.

(Please no one tell me it still exists, please. I don't want nightmares.)

Reply to AAAAARGH. on Thu, 14 May 2026 09:17:18 GMT

bagder@mastodon.social — Thu, 14 May 2026 09:17:18 GMT

So yes, there is at least one more pending #curl CVE involving trailing dots.

Reply to AAAAARGH. on Thu, 14 May 2026 09:15:12 GMT

yetzt@social.yetzt.me — Thu, 14 May 2026 09:15:12 GMT

@bagder i remember when http://dk./ was a website.

Reply to AAAAARGH. on Thu, 14 May 2026 08:18:31 GMT

taschenorakel@mastodon.green — Thu, 14 May 2026 08:18:31 GMT

@bagder You'll hate me for writing that, but actually you gave the best argument for using trailing dot more often in URLs: "The trailing dot then means the name is to be used actually exactly only like that, it is specified in full, while the name without a trailing dot can be tried with a domain name appended to it." — Just to stop this terrible mess that's caused by DNS lookup suffixes. There should be an RFC banning this ancient and dangerous mechanism.

Reply to AAAAARGH. on Thu, 14 May 2026 06:56:23 GMT

joostvb@mastodon.green — Thu, 14 May 2026 06:56:23 GMT

@bagder "In 2022, someone found a web site that actually requires a trailing dot in the Host: header [...] and reported it to the curl project. Sigh. We back-pedaled on the eight years old decision and decided to internally keep the dot in the name, but strip it for the purpose of the SNI field. This seems to be how the browsers are doing it. We released curl 7.82.0 with this change. That site that needed the trailing dot kept in the Host: header could now be retrieved with curl. Yay." wow

Reply to AAAAARGH. on Thu, 14 May 2026 06:39:09 GMT

leeloo@c.im — Thu, 14 May 2026 06:39:09 GMT

@bagder
DNS section is technically incorrect.

With and without trailing dot does not necessarily refer to the same ip. The name example.com. always refers to example.com. where as example.com sometimes refers to example.com.internaldomain.tld.

That one bit me when I added a domain with a wildcard A-record to my dns search list. Suddenly example.com.internaldomaon.tld resolved. That caused quite a panic when I suddenly saw my own browser making a ton of requests to domains like doubleclick.net.mydomain.tld. in the webserver logs.

(As you might guess, I use dns blocklist for the big advertising domains, so only the subdomain version resolved).

Reply to AAAAARGH. on Thu, 14 May 2026 05:04:31 GMT

pemensik@fosstodon.org — Thu, 14 May 2026 05:04:31 GMT

@rachel @bagder but having TLS cert contain relative name only is completely ridiculous. Names in certs are always absolute. TLS code should use the full name resolved. getaddrinfo() provides it in canonical field.

Reply to AAAAARGH. on Thu, 14 May 2026 03:53:51 GMT

whyrl@furry.engineer — Thu, 14 May 2026 03:53:51 GMT

@bagder My take: the HTTP spec is wrong and anyone serving a different site with a trailing dot is insane and shouldn't be accomodated.

Reply to AAAAARGH. on Thu, 14 May 2026 01:41:34 GMT

rachel@transitory.social — Thu, 14 May 2026 01:41:34 GMT

@bagder@mastodon.social yup I had some trailing dots to force some things to not do a dns search, then they got coppied into something that did tls, and guess what, that cert does NOT have an alt name with a dot of course not, super fun to track down

Reply to AAAAARGH. on Wed, 13 May 2026 23:06:00 GMT

gloriouscow@oldbytes.space — Wed, 13 May 2026 23:06:00 GMT

@bagder

Someone called it a dot release.

sounds like you have a good dot product to me

Reply to AAAAARGH. on Wed, 13 May 2026 23:05:01 GMT

bagder@mastodon.social — Wed, 13 May 2026 23:05:01 GMT

@unlambda exactly, and that inevitably leads to a security problem somewhere deep in there where we did or did not handle it appropriately...

Reply to AAAAARGH. on Wed, 13 May 2026 22:59:47 GMT

unlambda@hachyderm.io — Wed, 13 May 2026 22:59:47 GMT

@bagder Always a problem when different systems have different requirements for the handling of something like this; different rules for the handling of the trailing dot, or case sensitivity, or the like. Frustrating that the standards and systems you need to interoperate with, like system hostname resolution, can't agree, so there's never an easy answer.

Reply to AAAAARGH. on Wed, 13 May 2026 22:44:28 GMT

fluffel@chaos.social — Wed, 13 May 2026 22:44:28 GMT

@bagder .