[New bug]: The API for setting host name (CNAME) allow invalid character

This is not question, but rather a bug report.
The api to set API allow invalid host name (include character such as / $).
Before the api would return an error and now allow it.

This is a new issue as was not allowed before (I would say 1-2 week max).

If this bug is reproducible, can you submit it to the bug bounty team?


Yes I could, I don’t know how to do that. My company have unit test that run daily, and that test started to failed a couple days ago. I was able to create a CNAME that included “#” and “/” characters… that were not possible before.

Try it yourself!

The team did make that change intentionally because it’s a valid in a DNS name. While valid, it does introduce issues. If those affect you, let the team know by following the process above, they will appreciate the feedback.

1 Like

Thanks Cloonan for responding but I have reserved about what is “valid” for hosting name.

For instance, I’ve created a$/.webaweb.net but I can’t ping it, resolve it on my system I can think off.

RFC 1123 say that:

  • The hostname must consist of a series of labels connected by dots (“.”). Each label must start and end with an alphanumeric character.
  • Each label can contain alphanumeric characters (‘a’-‘z’, ‘A’-‘Z’, ‘0’-‘9’) and hyphens (‘-’), but cannot start or end with a hyphen.
  • The labels cannot be all numeric, to avoid confusion with IP addresses.
  • The entire hostname (including the dots) has a maximum length of 253 characters.
  • Individual labels within the hostname are limited to 63 characters.

I don’t see any provision for special character.

In all cases, it’s fine by me, I wanted to report it in case you miss something, and no it doesn’t create me issue.

1 Like

RFC 2181 clarifies this:

Wow, that’s good to know. Thanks Laudian for the reference. Good to know we can store pretty much anything!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.