Re: lower casing host names

> It turns out both browsers always unconditionally lower case the host name in URIs so they never send HTTP requests with mixed case.

I seen common browsers also "treat" the URI path (percent-encode it,
most notably). I appreciate that curl is a li'l more literal for HTTP
testing work. I hope curl and libcurl would stay that way and leave
standardizing case optional if anything.

I only used the python bindings, seems like it would fall under one of
those 'setopt' calls to change the default for whether it's
standardizing cases to lowercase before constructing the request-line
and host header, maybe independent option for request-line and
host-header case lowering.

> Why do they do this? Is this behavior of treating names differently based on
> case common? If so, should httpbis mention it?

They being HTTP daemons and applications:
 - they are just used to being fed mechanically-softed lowercase
strings from browsers
 - they weren't tested what happens when that varies
 - it was cheap and easy to do a quick strcmp() call instead of
something case-insensitive
 - shout out to the implementation that its redirect should be
comparing hostnames on a case insensitive basis, else
application-delivery/firewall may have to step in to mitigate

There can be various exploits and bugs along these lines!

Dale Anderson

Received on Friday, 30 December 2011 17:01:32 UTC