Skip to content

Commit

Permalink
deps: cares: cherry-pick b5a3d96
Browse files Browse the repository at this point in the history
Original commit message:

Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains

CloudFlare appears to use this logic in CNAMEs as per
#42171

Fixes: c-ares/c-ares#457
Fix By: Brad House (@bradh352)

PR-URL: #42216
Fixes: #42171
Fixes: #457
Refs: c-ares/c-ares#457
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
  • Loading branch information
bradh352 authored and danielleadams committed Apr 24, 2022
1 parent a122eb1 commit 8d734cb
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions deps/cares/src/lib/ares_expand_name.c
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,16 @@ static int ares__isprint(int ch)
* - underscores which are used in SRV records.
* - Forward slashes such as are used for classless in-addr.arpa
* delegation (CNAMEs)
* - Asterisks may be used for wildcard domains in CNAMEs as seen in the
* real world.
* While RFC 2181 section 11 does state not to do validation,
* that applies to servers, not clients. Vulnerabilities have been
* reported when this validation is not performed. Security is more
* important than edge-case compatibility (which is probably invalid
* anyhow). */
static int is_hostnamech(int ch)
{
/* [A-Za-z0-9-._/]
/* [A-Za-z0-9-*._/]
* Don't use isalnum() as it is locale-specific
*/
if (ch >= 'A' && ch <= 'Z')
Expand All @@ -80,7 +82,7 @@ static int is_hostnamech(int ch)
return 1;
if (ch >= '0' && ch <= '9')
return 1;
if (ch == '-' || ch == '.' || ch == '_' || ch == '/')
if (ch == '-' || ch == '.' || ch == '_' || ch == '/' || ch == '*')
return 1;

return 0;
Expand Down

0 comments on commit 8d734cb

Please sign in to comment.