Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uri treats out-of-range IPv4 addresses as valid DNS names. #111447

Open
tmds opened this issue Jan 15, 2025 · 4 comments
Open

Uri treats out-of-range IPv4 addresses as valid DNS names. #111447

tmds opened this issue Jan 15, 2025 · 4 comments
Labels
area-System.Net
Milestone
Future

Comments

@tmds
Copy link
Member

tmds commented Jan 15, 2025 

new Uri("http://300.300.300.300");

doesn't throw and is considered a valid DNS name by the Uri class.

This is because it meets the criteria of a valid domain name, due to dropping the requirement for the first character to be alphabetic:

runtime/src/libraries/System.Private.Uri/src/System/DomainNameHelper.cs

Lines 128 to 133 in 73bcb1d

// Determines whether a string is a valid domain name label. In keeping
// with RFC 1123, section 2.1, the requirement that the first character
// of a label be alphabetic is dropped. Therefore, Domain names are
// formed as:
//
// <label> -> <alphanum> [<alphanum> | <hyphen> | <underscore>] * 62

Perhaps it would make sense to require at least one alphabetic character be present in each label?
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Jan 15, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

@MihaZupan
Copy link
Member

Has this caused you issues in practice, or is it more just something odd that you've noticed?

Given other issues around the kind of hostname validation we do (#64707), I wouldn't be surprised if we go in the other direction and be less restrictive instead.

@tmds
Copy link
Member Author

tmds commented Jan 15, 2025
edited
Loading

I was looking for an API that allows me to check whether a string provided by the user is a valid IPv4/IPv6/domain name. Uri.CheckHostName seemed like a good fit.

When trying some strings, it didn't behave as I had expected for 300.300.300.300, so I reported this issue.

Given other issues around the kind of hostname validation we do (#64707), I wouldn't be surprised if we go in the other direction and be less restrictive instead.

This makes sense.

Perhaps there is some room to consider how Uri.CheckHostName behaves with these changes. May be UriHostNameType.Basic could be returned for non valid domain names (though valid per URI RFCs).

@MihaZupan
Copy link
Member

May be UriHostNameType.Basic could be returned for non valid domain names (though valid per URI RFCs).

We'd have to double-check if that matters somewhere else in Uri for some reason, but that sounds reasonable to me.

@MihaZupan MihaZupan removed the untriaged New issue has not been triaged by the area owner label Jan 15, 2025
@MihaZupan MihaZupan added this to the Future milestone Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Net
Projects
None yet
Milestone
Future
Development

No branches or pull requests
2 participants
@tmds @MihaZupan