Re: Host header validation

Katya Todorova Tue, 28 Mar 2017 07:23:55 -0700

Hi,
> r1787662 adds Host header validation along with a fair number of unit tests.
> It includes a performance test which indicates - on my machine at least
> - that the performance impact is in the noise. I'd like to see better
> performance for full IPv6 addresses but the current code looks to be
> acceptable.
> The validation is not yet integrated into the request processing. My
> primary reason for not integrating it is that it will trigger a 400
> response if the header is invalid and I don't want to incorrectly reject
> valid headers. Therefore I have a request. Please try and break these
> new parsers.



I’ve looked at the new http host parsers and tried some test data.
Most of the test cases have already been covered but still several
issues popped up:

- IPv6 addresses containing ::: are considered valid while they should
not be - e.g . [:::2222:3333:4444:5555:6666:7777:8888]

(except when “:::” are located in the end , in that case the host is
rejected as invalid)

- IPv4 part of IPv6 addresses should not contain leading zeros
according to the following part of the specification:

IPv4address   = dec-octet "." dec-octet "." dec-octet "." dec-octet

dec-octet     = DIGIT                 ; 0-9

                 / %x31-39 DIGIT         ; 10-99

                 / "1" 2DIGIT            ; 100-199

                 / "2" %x30-34 DIGIT     ; 200-249

                 / "25" %x30-35          ; 250-255

However, whether leading zeros are permitted or not seems to be a
matter of a recommendation rather than a strict rule.  This may lead
to ambiguity since many sources over the internet consider 01.02.03.04
as valid but [::01.02.03.04] as invalid.

- IPv6 Host containing any symbol other than : after ] is considered
valid though these trailing symbols after the ] are ignored

e.g. [::1]’, [::1] a

- It seems that compression just before the IPv4 part is not handled correctly.

   This one is considered invalid but should be valid [a:b:c:d:e::1.2.3.4]

Most of the test data has been taken from here:

[1] http://home.deds.nl/~aeron/regex/invalid_ipv6.txt
[2] http://home.deds.nl/~aeron/regex/valid_ipv6.txt


> Please commit any values you test with.


> Once we are happy with the quality of these parsers, I'll integrate them
> into the request processing.
> Mark

Kind regards,

Katya

Re: Host header validation

Reply via email to