Code review request, 8020842 IDN do not throw IAE when hostname ends with a trailing dot

Matthew Hall mhall at mhcomputing.net
Thu Aug 8 20:24:41 PDT 2013


But, DNS considers "." as the valid root zone...
-- 
Sent from my mobile device.

Xuelei Fan <xuelei.fan at oracle.com> wrote:
>On 8/9/2013 10:14 AM, Weijun Wang wrote:
>> 
>> 
>> On 8/9/13 9:37 AM, Xuelei Fan wrote:
>>> On 8/9/2013 9:22 AM, Weijun Wang wrote:
>>>> I tried nslookup. Those with ".." inside are illegal,
>>>>
>>>> $ nslookup com..
>>>> nslookup: 'com..' is not a legal name (empty label)
>>>>
>>>> but
>>>>
>>>> $ nslookup .
>>>> Server:        192.168.10.1
>>>> Address:    192.168.10.1#53
>>>>
>>>> Non-authoritative answer:
>>>> *** Can't find .: No answer
>>>>
>>> Thanks for the testing.  The behaviors are the same as this fix now.
>> 
>> No exactly. It seems nslookup still regards "." legal but just cannot
>> find an IP for it.
>> 
>I'm not sure whether a root domain name can be stand alone.  Root label
>is not considered as a label in IDN.  I think it is safe to regard that
>"." is not a valid IDN as it contains no label.  Anyway, it is a corner
>case.
>
>There are many online IDN conversion web services, some of them can
>convert ".", some of the cannot.  In the present implementation, we
>cannot recognize ".", and IDN.toASCII(".") throws
>StringIndexOutOfBoundsException.  With this fix, I was wondering IAE is
>a better exception for IDN.toASCII(".").
>
>>>
>>> Learn something new today to use nslookup.
>>>
>>>> Also, since this bug was originally about SNIHostName, do you need
>to
>>>> add some extra restriction there to reject "oracle.com." things?
>>>>
>>> No, we cannot restrict the format of IDN in SNIHostName more than in
>>> IDN. However, we may need to rethink about the comparing of two IDN,
>for
>>> example, "example.com." should equal to "example.com".  I want to
>>> consider it in another bug.
>> 
>> Not sure. Does the spec say IDN and SNIHostName are equivalent sets?
>And
>> it's not one is another's subset?
>> 
>Per TLS specification, host name in SNI is an IDN.  The spec of
>SNIHostname says, "hostname is not a valid Internationalized Domain
>Name
>(IDN) compliant with the RFC 3490 specification". The spec in
>SNIHostName has the same means as IDN.  I won't want to add additional
>restrict beyond the specification of an IDN.
>
>Xuelei
>
>>>
>>> Can I push the changeset?
>> 
>> I think it's better to ask someone in the networking team to make the
>> suggestion. From what I read Michael in this thread, he does not seem
>> totally agreed with your code changes (at least not the 00 version).
>> 
>> Thanks
>> Max
>> 
>>>
>>> Thanks,
>>> Xuelei
>>>
>>>> Thanks
>>>> Max
>>>>
>>>> On 8/9/13 8:41 AM, Xuelei Fan wrote:
>>>>> Ping.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>> On 8/7/2013 11:17 PM, Xuelei Fan wrote:
>>>>>> Please review the new update:
>>>>>>
>>>>>> http://cr.openjdk.java.net./~xuelei/8020842/webrev.01/
>>>>>>
>>>>>> With this update, "com." is valid (return "com."); "." and
>>>>>> "example..com" are invalid.  And IAE will be thrown for invalid
>IDN.
>>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>>
>>>



More information about the security-dev mailing list