Skip to content

fix(DnsPinMiddlware): only pass punycode/ASCII hostname to dns_get_record #56197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

fix(DnsPinMiddlware): only pass punycode/ASCII hostname to dns_get_record #56197

wants to merge 4 commits into from
+109 −1

Conversation

@joshtrichards
Copy link
Member

@joshtrichards joshtrichards commented Nov 4, 2025
edited
Loading

Summary

tldr: The current use of idn_to_utf8() in this context breaks DNS resolution for both Unicode IDNs and explicit punycode hostnames. It also doesn't seem to match the intention.

Likely also fixes #53185

Details

dns_get_record() only supports ASCII/Punycode input. idn_to_utf8() converts Punycode/ASCII hostnames to their Unicode form.

If we pass it raw Unicode (e.g., "bücher.com"), it returns it unchanged. If you give it Punycode (e.g., "xn--bcher-kva.com"), it returns the Unicode (e.g., "bücher.com").

Neither of which will work with dns_get_record().

Passing either raw Unicode or the output of idn_to_utf8() on a punycode string to dns_get_record() will result in DNS resolution failure for IDNs. Only ASCII/punycode should be passed to the resolver.

Not caught by unit tests previously due to ASCII-only hostnames, mocked DNS, etc.

TODO

Checklist

@joshtrichards
fix(DnsPinMiddlware): only pass punycode/ASCII hostname to dns_get_re…
a2b0266 
…cord

`dns_get_record()` only supports ASCII/Punycode input. `idn_to_utf8()` converts Punycode/ASCII hostnames to their Unicode form.

If we pass it raw Unicode (e.g., "bücher.com"), it returns it unchanged. If you give it Punycode (e.g., "xn--bcher-kva.com"), it returns the Unicode (e.g., "bücher.com").

Neither of which will work with dns_get_record().

Passing either raw Unicode or the output of idn_to_utf8() on a punycode string to dns_get_record() will result in DNS resolution failure for IDNs. Only ASCII/punycode should be passed to the resolver.

Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards
chore: add IDN scenarios to DnsPinMiddleware tests
172b99c 
Add tests for DNS pinning middleware handling of Punycode and Unicode hostnames.

Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards joshtrichards added bug 3. to review Waiting for reviews labels Nov 4, 2025
@joshtrichards
Copy link
Member Author

joshtrichards commented Nov 4, 2025

/backport to stable32

@joshtrichards
Copy link
Member Author

joshtrichards commented Nov 4, 2025

/backport to stable31

@joshtrichards
chore: make psalm happy even though has defaults
203309f 
Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards
chore: psalm psalm psalm
11c4785 
Signed-off-by: Josh <josh.t.richards@gmail.com>
kesselb
kesselb approved these changes Nov 4, 2025
View reviewed changes
Copy link
Collaborator

@kesselb kesselb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 👍

I'd agree we want to use idn_to_ascii and not idn_to_utf8 🙈

lib/private/Http/Client/DnsPinMiddleware.php
}

$targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0);
$targetIps = $this->dnsResolve(idn_to_ascii($hostName, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46, null), 0);
Copy link
Collaborator

@kesselb kesselb Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$targetIps = $this->dnsResolve(idn_to_ascii($hostName, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46, null), 0);
$targetIps = $this->dnsResolve(idn_to_ascii($hostName, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46), 0);

tests/lib/Http/Client/DnsPinMiddlewareTest.php
->with(
$this->callback(function ($hostname) use ($punycodeHost) {
// Should never be raw Unicode here!
$this->assertEquals($punycodeHost, $hostname, "dnsGetRecord should be called with Punycode ASCII host");
Copy link
Collaborator

@kesselb kesselb Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$this->assertEquals($punycodeHost, $hostname, "dnsGetRecord should be called with Punycode ASCII host");
$this->assertEquals($punycodeHost, $hostname, 'dnsGetRecord should be called with Punycode ASCII host');

For a happy linter ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kesselb kesselb kesselb approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@come-nc come-nc Awaiting requested review from come-nc

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews backport-request bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Cant add IDN hostname to federation

3 participants

@joshtrichards @kesselb