-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns: use IDNA 2008 to encode non-ascii hostnames #25679
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with one comment.
Should we be lenient to toASCII()
errors and call it with the 2nd
parameter set to true
and catching possible exceptions like in here?
I saw that in your PR. Are there legitimate inputs where it fails on? |
I don't know. I just saw its usage in https://github.com/nodejs/node/blob/master/lib/url.js#L385 and that the punycode implementation could potentially throw. If you don't think that's an issue I'm fine. |
test/internet/test-dns-idna2008.js
Outdated
// that doesn't support IDNA at all. | ||
// | ||
// * "straße.de" will resolve to the wrong address when the resolver supports | ||
// only IDNA 2003 (e.g., glibc until 2.28) because it encodes it wrong. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: one too many leading space
Before this commit, Node.js left it up to the system resolver or c-ares. Leaving it to the system resolver introduces platform differences because: * some support IDNA 2008 * some only IDNA 2003 (glibc until 2.28), and * some don't support IDNA at all (musl libc) c-ares doesn't support IDNA either although curl does, by virtue of linking against libidn2. Upgrading from libidn1 to libidn2 in order to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625. libidn2 is not an option (incompatible license) but ICU has an IDNA API and we already use that in one place. For non-ICU builds, we fall back to the bundled punycode.js that also supports IDNA 2008. Fixes: nodejs-private/security#97 Fixes: nodejs#25558
Nit addressed and rebased: https://ci.nodejs.org/job/node-test-pull-request/20370/ |
Landed in f399b01 |
Before this commit, Node.js left it up to the system resolver or c-ares. Leaving it to the system resolver introduces platform differences because: * some support IDNA 2008 * some only IDNA 2003 (glibc until 2.28), and * some don't support IDNA at all (musl libc) c-ares doesn't support IDNA either although curl does, by virtue of linking against libidn2. Upgrading from libidn1 to libidn2 in order to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625. libidn2 is not an option (incompatible license) but ICU has an IDNA API and we already use that in one place. For non-ICU builds, we fall back to the bundled punycode.js that also supports IDNA 2008. Fixes: https://github.com/nodejs-private/security/issues/97 Fixes: #25558 PR-URL: #25679 Reviewed-By: Santiago Gimeno <[email protected]> Reviewed-By: Saúl Ibarra Corretgé <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Before this commit, Node.js left it up to the system resolver or c-ares. Leaving it to the system resolver introduces platform differences because: * some support IDNA 2008 * some only IDNA 2003 (glibc until 2.28), and * some don't support IDNA at all (musl libc) c-ares doesn't support IDNA either although curl does, by virtue of linking against libidn2. Upgrading from libidn1 to libidn2 in order to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625. libidn2 is not an option (incompatible license) but ICU has an IDNA API and we already use that in one place. For non-ICU builds, we fall back to the bundled punycode.js that also supports IDNA 2008. Fixes: https://github.com/nodejs-private/security/issues/97 Fixes: #25558 PR-URL: #25679 Reviewed-By: Santiago Gimeno <[email protected]> Reviewed-By: Saúl Ibarra Corretgé <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
test/internet/test-dns-idna2008.js (added in this PR four days ago) failed in CI a few hours ago: https://ci.nodejs.org/job/node-test-commit-custom-suites/855/default/console 00:01:48 not ok 9 internet/test-dns-idna2008
00:01:48 ---
00:01:48 duration_ms: 1.14
00:01:48 severity: fail
00:01:48 exitcode: 1
00:01:48 stack: |-
00:01:48 (node:4568) ExperimentalWarning: The dns.promises API is experimental
00:01:48 assert.js:753
00:01:48 throw newErr;
00:01:48 ^
00:01:48
00:01:48 AssertionError [ERR_ASSERTION]: ifError got unwanted exception: queryA ESERVFAIL straße.de
00:01:48 at QueryReqWrap.dns.resolve4.mustCall (/home/iojs/build/workspace/node-test-commit-custom-suites/default/test/internet/test-dns-idna2008.js:27:10)
00:01:48 at QueryReqWrap.callback (/home/iojs/build/workspace/node-test-commit-custom-suites/default/test/common/index.js:368:15)
00:01:48 at QueryReqWrap.onresolve [as oncomplete] (dns.js:199:10)
00:01:48 at QueryReqWrap.onresolve [as oncomplete] (dns.js:199:19)
00:01:48 ... It had previously succeeded in CI (see https://ci.nodejs.org/job/node-test-commit-custom-suites/852/default/console). |
I guess |
Before this commit, Node.js left it up to the system resolver or c-ares.
Leaving it to the system resolver introduces platform differences
because:
c-ares doesn't support IDNA either although curl does, by virtue of
linking against libidn2. Upgrading from libidn1 to libidn2 in order
to get proper IDNA 2008 support was the fix for curl's CVE-2016-8625.
libidn2 is not an option (incompatible license) but ICU has an IDNA API
and we already use that in one place. For non-ICU builds, we fall back
to the bundled punycode.js that also supports IDNA 2008.
Fixes: https://github.com/nodejs-private/security/issues/97
cc @santigimeno - I'm not too hung up on whether this PR lands or #25559 but this way at least you can compare the two. :)