Code review request, 8020842 IDN do not throw IAE when hostname ends with a trailing dot
Xuelei Fan
xuelei.fan at oracle.com
Fri Aug 9 04:28:35 UTC 2013
Thanks for your feedback and suggestions.
Here is the new webrev:
http://cr.openjdk.java.net/~xuelei/8020842/webrev.02/
"." is regarded as valid IDN in this update.
Thanks,
Xuelei
On 8/9/2013 10:50 AM, Xuelei Fan wrote:
> On 8/9/2013 10:14 AM, Weijun Wang wrote:
>>
>>
>> On 8/9/13 9:37 AM, Xuelei Fan wrote:
>>> On 8/9/2013 9:22 AM, Weijun Wang wrote:
>>>> I tried nslookup. Those with ".." inside are illegal,
>>>>
>>>> $ nslookup com..
>>>> nslookup: 'com..' is not a legal name (empty label)
>>>>
>>>> but
>>>>
>>>> $ nslookup .
>>>> Server: 192.168.10.1
>>>> Address: 192.168.10.1#53
>>>>
>>>> Non-authoritative answer:
>>>> *** Can't find .: No answer
>>>>
>>> Thanks for the testing. The behaviors are the same as this fix now.
>>
>> No exactly. It seems nslookup still regards "." legal but just cannot
>> find an IP for it.
>>
> I'm not sure whether a root domain name can be stand alone. Root label
> is not considered as a label in IDN. I think it is safe to regard that
> "." is not a valid IDN as it contains no label. Anyway, it is a corner
> case.
>
> There are many online IDN conversion web services, some of them can
> convert ".", some of the cannot. In the present implementation, we
> cannot recognize ".", and IDN.toASCII(".") throws
> StringIndexOutOfBoundsException. With this fix, I was wondering IAE is
> a better exception for IDN.toASCII(".").
>
>>>
>>> Learn something new today to use nslookup.
>>>
>>>> Also, since this bug was originally about SNIHostName, do you need to
>>>> add some extra restriction there to reject "oracle.com." things?
>>>>
>>> No, we cannot restrict the format of IDN in SNIHostName more than in
>>> IDN. However, we may need to rethink about the comparing of two IDN, for
>>> example, "example.com." should equal to "example.com". I want to
>>> consider it in another bug.
>>
>> Not sure. Does the spec say IDN and SNIHostName are equivalent sets? And
>> it's not one is another's subset?
>>
> Per TLS specification, host name in SNI is an IDN. The spec of
> SNIHostname says, "hostname is not a valid Internationalized Domain Name
> (IDN) compliant with the RFC 3490 specification". The spec in
> SNIHostName has the same means as IDN. I won't want to add additional
> restrict beyond the specification of an IDN.
>
> Xuelei
>
>>>
>>> Can I push the changeset?
>>
>> I think it's better to ask someone in the networking team to make the
>> suggestion. From what I read Michael in this thread, he does not seem
>> totally agreed with your code changes (at least not the 00 version).
>>
>> Thanks
>> Max
>>
>>>
>>> Thanks,
>>> Xuelei
>>>
>>>> Thanks
>>>> Max
>>>>
>>>> On 8/9/13 8:41 AM, Xuelei Fan wrote:
>>>>> Ping.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>> On 8/7/2013 11:17 PM, Xuelei Fan wrote:
>>>>>> Please review the new update:
>>>>>>
>>>>>> http://cr.openjdk.java.net./~xuelei/8020842/webrev.01/
>>>>>>
>>>>>> With this update, "com." is valid (return "com."); "." and
>>>>>> "example..com" are invalid. And IAE will be thrown for invalid IDN.
>>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>>
>>>
>
More information about the security-dev
mailing list