Re: CVE Request: libesmtp does not check NULL bytes in commonName

[Brian Stafford <brian () stafford uklinux net>]

Ludwig Nussel wrote:
> Brian Stafford wrote:
>   
> > Since both the original and patched versions of match_component() 
> > implement wildcards rather less liberally than RFC 2818 implies, I 
> > decided to move towards the approach in the I-D.  match_component() now 
> > accepts either a string or a single wildcard '*'.  Matched characters 
> > are validated against the set of valid domain name component characters 
> > , that is, *.example.org will not match %.example.org, nor for that 
> > matter will the pattern %.example.org.  Question: should underline '_' 
> > be in the set of valid characters?
> >     
>
> AFAIK underlines are not allowed in DNS. I'm sure someone knows the
> RFC for that too :-)
>   
They are permitted in some contexts but not in actual domain names, for 
example a SRV record question to a name server contains stuff like 
_smtp._tcp.host.example.org  The host.example.org section is forbidden 
from using _ but obviously the name server itself supports it so it can 
handle the _smtp._tcp components.  I am assuming that since we're 
validating domain names and not name server queries, the _ is forbidden 
but if anyone out there can clarify it might be useful :-)
> cu
> Ludwig
>
>   
Brian