Re: lower casing host names

all domain names are case insensitive according to the DNS specs RFC 
1034, 1035 etc.

On 31/12/2011 6:00 a.m., Dale Anderson wrote:
>> It turns out both browsers always unconditionally lower case the host name in URIs so they never send HTTP requests with mixed case.
> I seen common browsers also "treat" the URI path (percent-encode it,
> most notably). I appreciate that curl is a li'l more literal for HTTP
> testing work. I hope curl and libcurl would stay that way and leave
> standardizing case optional if anything.
> I only used the python bindings, seems like it would fall under one of
> those 'setopt' calls to change the default for whether it's
> standardizing cases to lowercase before constructing the request-line
> and host header, maybe independent option for request-line and
> host-header case lowering.
>> Why do they do this? Is this behavior of treating names differently based on
>> case common? If so, should httpbis mention it?
> They being HTTP daemons and applications:
>   - they are just used to being fed mechanically-softed lowercase
> strings from browsers
>   - they weren't tested what happens when that varies
>   - it was cheap and easy to do a quick strcmp() call instead of
> something case-insensitive
>   - shout out to the implementation that its redirect should be
> comparing hostnames on a case insensitive basis, else
> application-delivery/firewall may have to step in to mitigate
> There can be various exploits and bugs along these lines!
> Dale Anderson

Adrien de Croy - WinGate Proxy Server -
WinGate 7 is released! -

Received on Friday, 30 December 2011 18:45:25 UTC