- From: Adrien de Croy <adrien@qbik.com>
- Date: Sat, 31 Dec 2011 07:44:53 +1300
- To: Dale Anderson <dra@redevised.net>
- CC: Daniel Stenberg <daniel@haxx.se>, HTTP Working Group <ietf-http-wg@w3.org>
all domain names are case insensitive according to the DNS specs RFC 1034, 1035 etc. On 31/12/2011 6:00 a.m., Dale Anderson wrote: >> It turns out both browsers always unconditionally lower case the host name in URIs so they never send HTTP requests with mixed case. > I seen common browsers also "treat" the URI path (percent-encode it, > most notably). I appreciate that curl is a li'l more literal for HTTP > testing work. I hope curl and libcurl would stay that way and leave > standardizing case optional if anything. > > I only used the python bindings, seems like it would fall under one of > those 'setopt' calls to change the default for whether it's > standardizing cases to lowercase before constructing the request-line > and host header, maybe independent option for request-line and > host-header case lowering. > > >> Why do they do this? Is this behavior of treating names differently based on >> case common? If so, should httpbis mention it? >> > They being HTTP daemons and applications: > - they are just used to being fed mechanically-softed lowercase > strings from browsers > - they weren't tested what happens when that varies > - it was cheap and easy to do a quick strcmp() call instead of > something case-insensitive > - shout out to the implementation that its redirect should be > comparing hostnames on a case insensitive basis, else > application-delivery/firewall may have to step in to mitigate > > There can be various exploits and bugs along these lines! > > Dale Anderson > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com WinGate 7 is released! - http://www.wingate.com/getlatest/
Received on Friday, 30 December 2011 18:45:25 UTC