@stackcoder opened this Pull Request on September 25th 2014 Contributor

Underscores are valid characters in domain names, so don't prohibit them in trustedHosts[].
Also the domain name should be validated before creating the list with an invalid entry.

@mattab commented on September 26th 2014 Owner

AFAIK the hostname does not allow _ character.... According to Wikipedia:

While a hostname may not contain other characters, such as the underscore character (_), other DNS names may contain the underscore.[3]

and some other page: http://domainkeys.sourceforge.net/underscore.html

Typically, the provider notes that underscores are prohibited from use in DNS.

If I'm wrong can you point to some RFC or example?

@stackcoder commented on September 26th 2014 Contributor

For the hostname itself you're totally right; but the trusted hosts list dosn't contain only correct hostnames. At the moment only a few special characters are prohibited:

// Only punctuation we allow is '[', ']', ':', '.' and '-'
$hostLength = strlen($host);
if ($hostLength !== strcspn($host, '`~!@#$%^&*()_+={}\\|;"\'<>,?/ ')) {
  • [ : ] allowed only in IPv6 addresses
  • . allowed to concat DNS lables (e.g. subdomains) and IPv4 addresses
  • - possible usage in hostnames / DNS labels

Many other characters (especially the most of the Unicode ones) are invalid for hostnames too, but depending on the toplevel domain they are legal and currently allowed here.

A good summary could be found here: http://stackoverflow.com/questions/2180465/can-someone-have-a-subdomain-hostname-with-an-underscore-in-it
Your Wikipedia qoute also points out that underscores are valid in DNS names.

@mattab commented on September 29th 2014 Owner

Thanks for insisting, merged it as I don't think it could cause any problem yet it solves a bug for you. cheers!

This Pull Request was closed on September 29th 2014
Powered by GitHub Issue Mirror