AAAAARGH.
Trailing dots on host names in URLs is the gift that keeps on giving, I said it already four years ago and it still generously continues to poke me in the eye.
https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/
Post
Replies:
13
Boosts:
5
@bagder I find myself weirdly nostalgic for the long-defunct short-lived url shortener that was at http://to./ (which was very much dependent on the dot to stop it from being interpreted as a local name)
So yes, there is at least one more pending #curl CVE involving trailing dots.
Tbh, why don't all URLs just get normalised to have a dot at the end? Do we really want DNS Prefix lists?
That is my most hated "feature" in almost everything that does DNS.
Same?
@bagder Ugh, reminds me of the trailing spaces vulnerability that windows had for years.
(Please no one tell me it still exists, please. I don't want nightmares.)
@bagder You'll hate me for writing that, but actually you gave the best argument for using trailing dot more often in URLs: "The trailing dot then means the name is to be used actually exactly only like that, it is specified in full, while the name without a trailing dot can be tried with a domain name appended to it."
@bagder "In 2022, someone found a web site that actually requires a trailing dot in the Host: header [...] and reported it to the curl project. Sigh. We back-pedaled on the eight years old decision and decided to internally keep the dot in the name, but strip it for the purpose of the SNI field. This seems to be how the browsers are doing it. We released curl 7.82.0 with this change. That site that needed the trailing dot kept in the Host: header could now be retrieved with curl. Yay." wow :)
@bagder
DNS section is technically incorrect.
With and without trailing dot does not necessarily refer to the same ip. The name example.com. always refers to example.com. where as example.com sometimes refers to example.com.internaldomain.tld.
That one bit me when I added a domain with a wildcard A-record to my dns search list. Suddenly example.com.internaldomaon.tld resolved. That caused quite a panic when I suddenly saw my own browser making a ton of requests to domains like doubleclick.net.mydomain.tld. in the webserver logs.
(As you might guess, I use dns blocklist for the big advertising domains, so only the subdomain version resolved).
@bagder My take: the HTTP spec is wrong and anyone serving a different site with a trailing dot is insane and shouldn't be accomodated.
@bagder Always a problem when different systems have different requirements for the handling of something like this; different rules for the handling of the trailing dot, or case sensitivity, or the like. Frustrating that the standards and systems you need to interoperate with, like system hostname resolution, can't agree, so there's never an easy answer.
@unlambda exactly, and that inevitably leads to a security problem somewhere deep in there where we did or did not handle it appropriately...
DNS records would like a word
