-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dealing with invalid host names #54
Comments
This is not a valid hostname so I guess it could be addressed by #53. Thanks for reporting it :-) |
Let us know if the |
Still getting the same error with 1.5.3:
|
Herpaderp. It works when there's a path but not just a hostname. Kind of a problem with accepting mixed format inputs I guess. I'll check it out a little further. My main instinct is to expand cleanHostValue to return only valid hostname characters, which are all acceptable as regular expression characters. Not entirely sure why a regex is being composed from the input, but I don't think I have to internalize all that to fix this problem. |
Someone sniffing for open vulnerabilities send our server a request with the URL:
http://('4drsteve.com', [], ['54.213.246.177'])/xmlrpc.php
Our server handles traffic for multiple domains, so it passes the
Host
header toTLD.js to determine which domain the request belongs to. TLD.js extracts the tail portion of the value (177'])
), which has no matching rule, and attempts to create a rule by turning this string into a regular expression without escaping it first.So we get:
Not sure where to patch fix, probably in
Rule
constructor when creating a new rule it should always attempt to escape a string?Or should this even be patched? Should TLD.js throw an error on invalid host names, or just return
null
?The text was updated successfully, but these errors were encountered: