Code review request, 8020842 IDN do not throw IAE when hostname ends with a trailing dot
Xuelei Fan
xuelei.fan at oracle.com
Sat Aug 10 01:13:48 UTC 2013
Hi Michael,
I plan to address this issue in SNIHostName. I have filled another two
the potential bugs in IDN.
Thank you, and other people, for the feedback.
Thanks,
Xuelei
On 8/9/2013 11:25 PM, Xuelei Fan wrote:
> On 8/9/2013 7:31 PM, Michael McMahon wrote:
>> I don't see how this fixes the original problem as the SNIHostName spec
>> still doesn't like hostnames with a trailing '.'
>>
> The bug description did not reflect the IDN specification correctly. If
> "com." is a valid IDN, SNIHostName should accept it an an valid
> hostname. The host name in SNIHostName is nothing more or less than an
> standard IDN.
>
> I added a comment in the bug: "com." and "." are valid IDN according the
> IDN and domain name specifications. I will contact the bug reporter
> about this point.
>
> Xuelei
>
>> I'd prefer to check first where that requirement is coming from, if it is
>> actually necessary, and if not consider removing it from SNIHostName.
>> If it is necessary, then the check should be implemented in SNIHostName.
>>
>> Michael
>>
>> On 09/08/13 05:28, Xuelei Fan wrote:
>>> Thanks for your feedback and suggestions.
>>>
>>> Here is the new webrev:
>>> http://cr.openjdk.java.net/~xuelei/8020842/webrev.02/
>>>
>>> "." is regarded as valid IDN in this update.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 8/9/2013 10:50 AM, Xuelei Fan wrote:
>>>> On 8/9/2013 10:14 AM, Weijun Wang wrote:
>>>>>
>>>>> On 8/9/13 9:37 AM, Xuelei Fan wrote:
>>>>>> On 8/9/2013 9:22 AM, Weijun Wang wrote:
>>>>>>> I tried nslookup. Those with ".." inside are illegal,
>>>>>>>
>>>>>>> $ nslookup com..
>>>>>>> nslookup: 'com..' is not a legal name (empty label)
>>>>>>>
>>>>>>> but
>>>>>>>
>>>>>>> $ nslookup .
>>>>>>> Server: 192.168.10.1
>>>>>>> Address: 192.168.10.1#53
>>>>>>>
>>>>>>> Non-authoritative answer:
>>>>>>> *** Can't find .: No answer
>>>>>>>
>>>>>> Thanks for the testing. The behaviors are the same as this fix now.
>>>>> No exactly. It seems nslookup still regards "." legal but just cannot
>>>>> find an IP for it.
>>>>>
>>>> I'm not sure whether a root domain name can be stand alone. Root label
>>>> is not considered as a label in IDN. I think it is safe to regard that
>>>> "." is not a valid IDN as it contains no label. Anyway, it is a corner
>>>> case.
>>>>
>>>> There are many online IDN conversion web services, some of them can
>>>> convert ".", some of the cannot. In the present implementation, we
>>>> cannot recognize ".", and IDN.toASCII(".") throws
>>>> StringIndexOutOfBoundsException. With this fix, I was wondering IAE is
>>>> a better exception for IDN.toASCII(".").
>>>>
>>>>>> Learn something new today to use nslookup.
>>>>>>
>>>>>>> Also, since this bug was originally about SNIHostName, do you need to
>>>>>>> add some extra restriction there to reject "oracle.com." things?
>>>>>>>
>>>>>> No, we cannot restrict the format of IDN in SNIHostName more than in
>>>>>> IDN. However, we may need to rethink about the comparing of two
>>>>>> IDN, for
>>>>>> example, "example.com." should equal to "example.com". I want to
>>>>>> consider it in another bug.
>>>>> Not sure. Does the spec say IDN and SNIHostName are equivalent sets?
>>>>> And
>>>>> it's not one is another's subset?
>>>>>
>>>> Per TLS specification, host name in SNI is an IDN. The spec of
>>>> SNIHostname says, "hostname is not a valid Internationalized Domain Name
>>>> (IDN) compliant with the RFC 3490 specification". The spec in
>>>> SNIHostName has the same means as IDN. I won't want to add additional
>>>> restrict beyond the specification of an IDN.
>>>>
>>>> Xuelei
>>>>
>>>>>> Can I push the changeset?
>>>>> I think it's better to ask someone in the networking team to make the
>>>>> suggestion. From what I read Michael in this thread, he does not seem
>>>>> totally agreed with your code changes (at least not the 00 version).
>>>>>
>>>>> Thanks
>>>>> Max
>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>>
>>>>>>> Thanks
>>>>>>> Max
>>>>>>>
>>>>>>> On 8/9/13 8:41 AM, Xuelei Fan wrote:
>>>>>>>> Ping.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Xuelei
>>>>>>>>
>>>>>>>> On 8/7/2013 11:17 PM, Xuelei Fan wrote:
>>>>>>>>> Please review the new update:
>>>>>>>>>
>>>>>>>>> http://cr.openjdk.java.net./~xuelei/8020842/webrev.01/
>>>>>>>>>
>>>>>>>>> With this update, "com." is valid (return "com."); "." and
>>>>>>>>> "example..com" are invalid. And IAE will be thrown for invalid
>>>>>>>>> IDN.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Xuelei
>>>>>>>>>
>>
>
More information about the security-dev
mailing list