From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Mon, 27 Jul 2015 12:58:40 +0000 Subject: Allow a single trailing `.` when validating FQDNs from SOCKS. URI syntax (and DNS syntax) allows for a single trailing `.` to explicitly distinguish between a relative and absolute (fully-qualified) domain name. While this is redundant in that RFC 1928 DOMAINNAME addresses are *always* fully-qualified, certain clients blindly pass the trailing `.` along in the request. Fixes bug 16674; bugfix on 0.2.6.2-alpha. --- changes/bug16674 | 5 +++++ src/common/util.c | 6 ++++++ src/test/test_util.c | 12 ++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 changes/bug16674 diff --git a/changes/bug16674 b/changes/bug16674 new file mode 100644 index 0000000000..de55523fc8 --- /dev/null +++ b/changes/bug16674 @@ -0,0 +1,5 @@ + o Minor features (client): + - Relax the validation done to hostnames in SOCKS5 requests, and allow + a single trailing '.' to cope with clients that pass FQDNs using that + syntax to explicitly indicate that the domain name is + fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. diff --git a/src/common/util.c b/src/common/util.c index 618e6a1b6a..1aac4fc3d1 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) break; } + /* Allow a single terminating '.' used rarely to indicate domains + * are FQDNs rather than relative. */ + if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { + continue; + } + do { if ((*c >= 'a' && *c <= 'z') || (*c >= 'A' && *c <= 'Z') || diff --git a/src/test/test_util.c b/src/test/test_util.c index 0f64c26e01..2bffb17bfd 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) // comply with a ~30 year old standard. tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); + // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, + // which is redundant since the spec states DOMAINNAME addresses are fully + // qualified. While unusual, this should be tollerated. + tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); + tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); + tt_assert(!string_is_valid_hostname("so.is..ft.com")); + tt_assert(!string_is_valid_hostname("...")); + // XXX: do we allow single-label DNS names? + // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" + // but only test pathologically malformed traling '.' cases for now. + tt_assert(!string_is_valid_hostname(".")); + tt_assert(!string_is_valid_hostname("..")); done: return; -- cgit v1.2.3-54-g00ecf