Code review request, 8020842 IDN do not throw IAE when hostname ends with a trailing dot
Matthew Hall
mhall at mhcomputing.net
Fri Aug 9 03:24:41 UTC 2013
But, DNS considers "." as the valid root zone...
--
Sent from my mobile device.
Xuelei Fan <xuelei.fan at oracle.com> wrote:
>On 8/9/2013 10:14 AM, Weijun Wang wrote:
>>
>>
>> On 8/9/13 9:37 AM, Xuelei Fan wrote:
>>> On 8/9/2013 9:22 AM, Weijun Wang wrote:
>>>> I tried nslookup. Those with ".." inside are illegal,
>>>>
>>>> $ nslookup com..
>>>> nslookup: 'com..' is not a legal name (empty label)
>>>>
>>>> but
>>>>
>>>> $ nslookup .
>>>> Server: 192.168.10.1
>>>> Address: 192.168.10.1#53
>>>>
>>>> Non-authoritative answer:
>>>> *** Can't find .: No answer
>>>>
>>> Thanks for the testing. The behaviors are the same as this fix now.
>>
>> No exactly. It seems nslookup still regards "." legal but just cannot
>> find an IP for it.
>>
>I'm not sure whether a root domain name can be stand alone. Root label
>is not considered as a label in IDN. I think it is safe to regard that
>"." is not a valid IDN as it contains no label. Anyway, it is a corner
>case.
>
>There are many online IDN conversion web services, some of them can
>convert ".", some of the cannot. In the present implementation, we
>cannot recognize ".", and IDN.toASCII(".") throws
>StringIndexOutOfBoundsException. With this fix, I was wondering IAE is
>a better exception for IDN.toASCII(".").
>
>>>
>>> Learn something new today to use nslookup.
>>>
>>>> Also, since this bug was originally about SNIHostName, do you need
>to
>>>> add some extra restriction there to reject "oracle.com." things?
>>>>
>>> No, we cannot restrict the format of IDN in SNIHostName more than in
>>> IDN. However, we may need to rethink about the comparing of two IDN,
>for
>>> example, "example.com." should equal to "example.com". I want to
>>> consider it in another bug.
>>
>> Not sure. Does the spec say IDN and SNIHostName are equivalent sets?
>And
>> it's not one is another's subset?
>>
>Per TLS specification, host name in SNI is an IDN. The spec of
>SNIHostname says, "hostname is not a valid Internationalized Domain
>Name
>(IDN) compliant with the RFC 3490 specification". The spec in
>SNIHostName has the same means as IDN. I won't want to add additional
>restrict beyond the specification of an IDN.
>
>Xuelei
>
>>>
>>> Can I push the changeset?
>>
>> I think it's better to ask someone in the networking team to make the
>> suggestion. From what I read Michael in this thread, he does not seem
>> totally agreed with your code changes (at least not the 00 version).
>>
>> Thanks
>> Max
>>
>>>
>>> Thanks,
>>> Xuelei
>>>
>>>> Thanks
>>>> Max
>>>>
>>>> On 8/9/13 8:41 AM, Xuelei Fan wrote:
>>>>> Ping.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>> On 8/7/2013 11:17 PM, Xuelei Fan wrote:
>>>>>> Please review the new update:
>>>>>>
>>>>>> http://cr.openjdk.java.net./~xuelei/8020842/webrev.01/
>>>>>>
>>>>>> With this update, "com." is valid (return "com."); "." and
>>>>>> "example..com" are invalid. And IAE will be thrown for invalid
>IDN.
>>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>>
>>>
More information about the security-dev
mailing list