Code review request, 8020842 IDN do not throw IAE when hostname ends with a trailing dot

Xuelei Fan xuelei.fan at oracle.com
Fri Aug 9 02:50:07 UTC 2013


On 8/9/2013 10:14 AM, Weijun Wang wrote:
> 
> 
> On 8/9/13 9:37 AM, Xuelei Fan wrote:
>> On 8/9/2013 9:22 AM, Weijun Wang wrote:
>>> I tried nslookup. Those with ".." inside are illegal,
>>>
>>> $ nslookup com..
>>> nslookup: 'com..' is not a legal name (empty label)
>>>
>>> but
>>>
>>> $ nslookup .
>>> Server:        192.168.10.1
>>> Address:    192.168.10.1#53
>>>
>>> Non-authoritative answer:
>>> *** Can't find .: No answer
>>>
>> Thanks for the testing.  The behaviors are the same as this fix now.
> 
> No exactly. It seems nslookup still regards "." legal but just cannot
> find an IP for it.
> 
I'm not sure whether a root domain name can be stand alone.  Root label
is not considered as a label in IDN.  I think it is safe to regard that
"." is not a valid IDN as it contains no label.  Anyway, it is a corner
case.

There are many online IDN conversion web services, some of them can
convert ".", some of the cannot.  In the present implementation, we
cannot recognize ".", and IDN.toASCII(".") throws
StringIndexOutOfBoundsException.  With this fix, I was wondering IAE is
a better exception for IDN.toASCII(".").

>>
>> Learn something new today to use nslookup.
>>
>>> Also, since this bug was originally about SNIHostName, do you need to
>>> add some extra restriction there to reject "oracle.com." things?
>>>
>> No, we cannot restrict the format of IDN in SNIHostName more than in
>> IDN. However, we may need to rethink about the comparing of two IDN, for
>> example, "example.com." should equal to "example.com".  I want to
>> consider it in another bug.
> 
> Not sure. Does the spec say IDN and SNIHostName are equivalent sets? And
> it's not one is another's subset?
> 
Per TLS specification, host name in SNI is an IDN.  The spec of
SNIHostname says, "hostname is not a valid Internationalized Domain Name
(IDN) compliant with the RFC 3490 specification". The spec in
SNIHostName has the same means as IDN.  I won't want to add additional
restrict beyond the specification of an IDN.

Xuelei

>>
>> Can I push the changeset?
> 
> I think it's better to ask someone in the networking team to make the
> suggestion. From what I read Michael in this thread, he does not seem
> totally agreed with your code changes (at least not the 00 version).
> 
> Thanks
> Max
> 
>>
>> Thanks,
>> Xuelei
>>
>>> Thanks
>>> Max
>>>
>>> On 8/9/13 8:41 AM, Xuelei Fan wrote:
>>>> Ping.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 8/7/2013 11:17 PM, Xuelei Fan wrote:
>>>>> Please review the new update:
>>>>>
>>>>> http://cr.openjdk.java.net./~xuelei/8020842/webrev.01/
>>>>>
>>>>> With this update, "com." is valid (return "com."); "." and
>>>>> "example..com" are invalid.  And IAE will be thrown for invalid IDN.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>




More information about the security-dev mailing list