tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection

    Date:        Mon, 30 May 2011 22:15:08 -0700
    From:        Erik Fair <>
    Message-ID:  <>

I'm not sure why this has reappeared after all this time, but ...

  | It is still illegal to have a "_" in a host name.

For that statement to be meaningful you need to define just what
is a "host name".  (It certainly isn't illegal to have a '_' in
hostname(1) in NetBSD for example).

If you mean "something registered in hosts.txt" then I agree, but
also don't care, as that's obsolete.  For almost any other definition
(including use in e-mail addresses) that's nonsense.

'_' was added to the legal "atom" characters (atext) in rfc2822 (in 2001,
that is: 10 years ago) because, in practice, everyone accepted it anyway.
It is still in atext in rfc5322.

But _ is close enough to alphabetic (it was only missing from 822 because
way back then the 0x5F slot in ascii was one of very few that varied from
implementation to implementation - I used a system, long ago, where that
character was a left facing arrow, not an underscore, for example...) and
is by no means typical of other random non alpha-numeric characters, all
of which are OK in domain names, but many of which aren't permitted in e-mail
addresses (and URLs, and various other places).   (For example, '.' is OK
as a component of a DNS label, but can only be a separator between domain
name labels in e-mail addresses).

It is worth noting that there's no defined restriction anywhere on the
names that may be used as the target of an MX record, anything that's legal
in the DNS is OK for that...


Home | Main Index | Thread Index | Old Index