bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Failure with libidn2 on OpenBSD.


From: Tim Rühsen
Subject: Re: Failure with libidn2 on OpenBSD.
Date: Sun, 5 Apr 2020 19:13:14 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0

Hi Mats,

On 05.04.20 17:28, Mats Erik Andersson wrote:
> Hello there,
> 
> since Simon Josefsson and Tim Rühsen are both involved in libidn2,
> this bug is doubly relevant here.

The bug is more relevant because Simon and I are involved in libidn2 ?
I don't understand - could could explain ?

I added address@hidden to get the experts in.

> The following call
> 
>    host = "::1";
> 
>    idna_to_ascii_lz(host, &newhost, 0);
> 
> results in
> 
>    newhost = "1"
> 
> when executed on OpenBSD 6.3 with libidn2. This is clearly not intended. 
> Right?

This is right, when the IDN2_USE_STD3_ASCII_RULES flag is set. That flag
is set by default on older versions of libidn2.
On newer versions we set it to allow certain normally disallowed
characters in domain names, like underscore.

From the NEWS file:
* Version 2.0.3 (released 2017-07-24) [beta]

** %IDN2_USE_STD3_ASCII_RULES disabled by default.
 Previously we were eliminating non-STD3 characters from domain strings
 such as _443._tcp.example.com, or IPs 1.2.3.4/24 provided to libidn2
 functions. That was an unexpected regression for applications switching
 from libidn and thus it is no longer applied by default.
 Use %IDN2_USE_STD3_ASCII_RULES to enable that behavior again.


> In contrast, FreeBSD 11 with libidn and OpenIndiana with libidn2, both lead to
> 
>    newhost = "::1"

That is a newer version of libidn2 then.

> which is to be expected of an IPv6 address. Similarly, the OpenBSD+libidn2
> call transforms the legal "::ffff:127.0.0.1" for the corrupted 
> "ffff127.0.0.1".
> 
> Thus the compatibility call idna_to_ascii_lz() in libidn2 strips off every 
> colon,
> when executed on OpenBSD but not on OpenIndiana. Explanation? Resolution?
> I get two failed tests with OpenBSD, but none with OpenIndiana!

The resolution is to update libidn2 to 2.3.0. Please check the NEWS file
for fixed bugs and vulnerabilities.

Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]