Merge branch '1610-disable-UseSTD3ASCIIRules-in-idn2' into 'main'

Disable IDN2_USE_STD3_ASCII_RULES to idn2 conversion functions Closes #1610 See merge request isc-projects/bind9!5605
2021-12-01 15:32:29 +00:00
parent 71ee5f6148 1d42178c46
commit 081e18edc8
4 changed files with 34 additions and 32 deletions
--- a/7
+++ b/7
@@ -1,3 +1,10 @@
+5771.	[bug]		Use idn2 UseSTD3ASCIIRules=false to disable additional
+			unicode validity checks because enabling the additional
+			checks would break valid domain names that contains
+			non-alphanumerical characters such as underscore
+			character (_) or wildcard (*).  This reverts change
+			[GL !5738] from the previous release. [GL #1610]
+
 5770.	[func]		BIND could abort on startup on systems using old
 			OpenSSL versions when 'protocols' option is used inside
 			a 'tls' statement. [GL !5602]
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -4365,9 +4365,7 @@ idn_locale_to_ace(const char *src, char *dst, size_t dstlen) {
 	 * We trust libidn2 to return an error if 'src' is too large to be a
 	 * valid domain name.
 	 */
-	res = idn2_to_ascii_lz(src, &ascii_src,
-			       IDN2_NONTRANSITIONAL |
-				       IDN2_USE_STD3_ASCII_RULES);
+	res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL);
 	if (res != IDN2_OK) {
 		fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin",
 		      src, idn2_strerror(res));
@@ -4422,7 +4420,7 @@ idn_ace_to_locale(const char *src, char **dst) {
 	 *
 	 * First, convert 'src' to UTF-8, ignoring the current locale.
 	 */
-	res = idn2_to_unicode_8z8z(src, &utf8_src, IDN2_USE_STD3_ASCII_RULES);
+	res = idn2_to_unicode_8z8z(src, &utf8_src, 0);
 	if (res != IDN2_OK) {
 		fatal("Bad ACE string '%s' (%s), use +noidnout", src,
 		      idn2_strerror(res));
@@ -4431,9 +4429,7 @@ idn_ace_to_locale(const char *src, char **dst) {
 	/*
 	 * Then, check whether decoded 'src' is a valid IDNA2008 name.
 	 */
-	res = idn2_to_ascii_8z(utf8_src, NULL,
-			       IDN2_NONTRANSITIONAL |
-				       IDN2_USE_STD3_ASCII_RULES);
+	res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL);
 	if (res != IDN2_OK) {
 		fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout",
 		      src, idn2_strerror(res));
@@ -4443,13 +4439,11 @@ idn_ace_to_locale(const char *src, char **dst) {
 	 * Finally, try converting the decoded 'src' into the current locale's
 	 * character encoding.
 	 */
-	res = idn2_to_unicode_8zlz(utf8_src, &local_src,
-				   IDN2_USE_STD3_ASCII_RULES);
+	res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0);
 	if (res != IDN2_OK) {
 		static bool warned = false;

-		res = idn2_to_ascii_8z(utf8_src, &local_src,
-				       IDN2_USE_STD3_ASCII_RULES);
+		res = idn2_to_ascii_8z(utf8_src, &local_src, 0);
 		if (res != IDN2_OK) {
 			fatal("Cannot represent '%s' "
 			      "in the current locale nor ascii (%s), "
--- a/bin/tests/system/idna/tests.sh
+++ b/bin/tests/system/idna/tests.sh
@@ -348,28 +348,23 @@ idna_enabled_test() {
    idna_fail "$text" "+noidnin +idnout"   "xn--19g"
    idna_fail "$text" "+idnin   +idnout"   "xn--19g"

-    # Test that the UseSTD3ASCIIRules is being used
-    #
-    # Note that "+noidnin +idnout" is not tested because libidn2 2.2.0+ parses
-    # Punycode more strictly than older versions and thus dig succeeds with that
-    # combination of options with libidn2 2.2.0+ but fails with older
-    # versions.
-    #
-    # Note that "+idnin +idnout" is not tested because libidn2 2.2.0+ parses
-    # Punycode more strictly than older versions and thus dig fails with that
-    # combination of options with libidn2 2.2.0+ but succeeds with older
-    # versions.
-    #
-    # With UseSTD13ASCIIRules=false, 'â˜º' produces 'xn--\032o-oia59s'
-    #
-    # With UseSTD13ASCIIRules=true, 'â˜º' produces 'xn--o-vfa'

-    text="Check that UseSTD3ASCIIRules is being used"
-    idna_test "$text" ""                   "â˜º" "\195\162\203\156\194\186."
-    idna_test "$text" "+noidnin +noidnout" "â˜º" "\195\162\203\156\194\186."
-    # idna_test "$text" "+noidnin +idnout"   "â˜º" "xn--o-vfa."
-    idna_test "$text" "+idnin   +noidnout" "â˜º" "xn--o-vfa."
-    # idna_fail "$text" "+idnin   +idnout"   "â˜º" "âo."
+    # Test that non-letter characters are preserved in the output.  When
+    # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like
+    # `_` (underscore) and `*` (wildcard.
+
+    test="Checking valid non-letter characters"
+    idna_test "$text" ""                   "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +idnout"   "*.xn--nxasmq6b.com" "*.βόλοσ.com."
+    idna_test "$text" "+idnin +noidnout"   "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com."
+    idna_test "$text" "+idnin +idnout"     "*.xn--nxasmq6b.com" "*.βόλοσ.com."
+
+    idna_test "$text" ""                   "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com."
+    idna_test "$text" "+noidnin +idnout"   "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com."
+    idna_test "$text" "+idnin +noidnout"   "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com."
+    idna_test "$text" "+idnin +idnout"     "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com."
 }


--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -43,6 +43,12 @@ Feature Changes
  For example: ``allow-transfer port 853 transport tls { any; };``
  :gl:`#2776`

+- `UseSTD3ASCIIRules`_ is now disabled for IDN support. This disables additional
+  validation rules for domain names in dig because applying the rules would
+  silently strip characters not-allowed in hostnames such as underscore (``_``)
+  or wildcard (``*``) characters.  This reverts change :gl:`!5738` from the
+  previous release.  :gl:`#1610`
+
 Bug Fixes
 ~~~~~~~~~