Bugzilla

(In reply to Dana Keeler [:keeler] (use needinfo?) from comment #14)
> Oh, I see. To me, that list allows the following ASCII: control codes that
> are not NUL, TAB, LF, or CR; alphanumeric (no problems there); and !, ", $,
> &, ', (, ), *, +, ',', -, ., ;, <, =, >, ^, _, `, {, |, }, and ~.
> 
> Supporting all of that punctuation seems strange to me, but I can't think of
> a security concern if they're used.

We should not be supporting such ridiculous characters in hostnames. Good luck getting most hostname parsers out there to actually understand a hostname that has '<' or ')' in it. As for security, '*' would obviously have a major security impact if permitted in hostnames, considering that acts as a wildcard in TLS certificates. Underscores are used in DNS for a variety of purposes, though not generally for actual hostnames (see http://domainkeys.sourceforge.net/underscore.html or http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch04_05.htm, which states 'Underscores are not allowed in host names.' based off of RFC 952). I don't see a direct security issue in supporting underscores, but I don't think we should be adding all those other random ASCII characters, especially considering some are unsafe shell characters.