Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hosts plugin allows setting invalid hostnames #2185

Open
tom-wa opened this Issue Aug 15, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@tom-wa
Copy link
Contributor

tom-wa commented Aug 15, 2018

Steps to Reproduce the Problem

according to man 5 hosts this should be invalid:
kdb set system/hosts/ipv4/-invalidhost- 127.0.0.1

not sure if there are any length limits for hostnames in /etc/hosts files, but at least FQNDs are limited to 254 characters so i guess this should also be invalid:

kdb set system/hosts/ipv4/`perl -e 'print "a"x256'` 127.0.0.1

Expected Result

Validation error

Actual Result

entry is written to hosts file

System Information

  • Elektra Version: 0.8.23
  • Debian Stretch
  • Versions of other relevant software?

Further Log Files and Output

@markus2330 markus2330 added this to the 0.8.24 milestone Aug 15, 2018

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Aug 15, 2018

Thank you for reporting the bug! Unfortunately we do not have a plugin checking for valid (base) names at the moment.

What about adding check/validation/match = BASENAME support in the validation plugin. Then we could specify a regex in src/plugins/hosts/contract.h which checks for valid hostnames (and aliases).

Do you know which hostnames and aliases are allowed?

This would also fix the problem with newlines in hostnames + aliases, see #1719 (but not the problem of newlines in comments...)

@tom-wa

This comment has been minimized.

Copy link
Contributor Author

tom-wa commented Aug 15, 2018

Do you know which hostnames and aliases are allowed?

i couldn't find any specification for /etc/hosts.

RFC952 states

A "name" (Net, Host, Gateway, or Domain name) is a text string up
to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
sign (-), and period (.). Note that periods are only allowed when
they serve to delimit components of "domain style names".

the grammar doesn't have that limitation though.

according to RFC1034 a FQDN is 254 characters max (including root). and a hostname is 63 characters max (which seems to be the more common than the 24 character limit)

what all have in common is that they can't end in a hypen, should start with either an alphanumeric character of a numeric character (depending on which documentation you read) and end with an alphanumeric character.

i'd go with the FQDN definition, and imho a simple check if the basename qualifies at a valid FQDN should be done in the hosts plugin (it's just 4 strchr calls + distance check to the previous one)

what do you think ?

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Aug 15, 2018

Sounds good! If you can give it a quick check with what glibc/musl does, it is even better.

@tom-wa

This comment has been minimized.

Copy link
Contributor Author

tom-wa commented Aug 15, 2018

musl does the bare minimum

if (strnlen(host, 255)-1 >= 254 || mbstowcs(0, host, 0) == -1) return 0;
for (s=(void *)host; *s>=0x80 || *s=='.' || *s=='-' || isalnum(*s); s++);

not sure what glibc does, too just too much to read, did a few greps, but couldn't find any validation of the hostname in /etc/hosts

i'd go with musl's check but add maybe isalpha(host[0]) && isalnum(host[strlen(host)-1]) like the RFC1034 grammar states with a "strict" config option ?

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Aug 15, 2018

i'd go with musl's check

Sounds good!

grammar states with a "strict" config option

Only if somebody needs both options. Otherwise simply implement one.

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Aug 17, 2018

@tom-wa actually we already have a kind-of "strict" option: the --with-recommends option. So everything directly implemented in hosts is "non-strict", what you implement as regex in the contract (which is only applied when --with-recommends is used) is "strict".

@markus2330

This comment has been minimized.

Copy link
Contributor

markus2330 commented Aug 18, 2018

@tom-wa any update here?

@markus2330 markus2330 modified the milestones: 0.8.24, 0.8.25 Aug 18, 2018

@markus2330 markus2330 modified the milestones: 0.8.25, 0.8.26 Nov 17, 2018

@markus2330 markus2330 added the bug label Feb 17, 2019

@markus2330 markus2330 removed this from the 0.8.26 milestone Feb 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.