Bug 1878319 - Having a trailing dot in the host when requesting a Route elicits an HTTP 503 response
Summary: Having a trailing dot in the host when requesting a Route elicits an HTTP 503...
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.6.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-11 23:07 UTC by Miciah Dashiel Butler Masters
Modified: 2020-09-16 09:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift router pull 180 None closed Bug 1878319: Allow trailing dots in host names 2020-09-21 04:56:09 UTC

Description Miciah Dashiel Butler Masters 2020-09-11 23:07:39 UTC
Description of problem:

If I send an HTTP request for a Route to an ingress controller, and the request includes a trailing dot in the host name, then the ingress controller responds with an HTTP 503 error response.


Version-Release number of selected component (if applicable):

4.6.0-0.ci-2020-09-11-154332


How reproducible:

Easily.


Steps to Reproduce:

1. Create a test application Pod, Service, and Route:

    oc adm new-project hello-openshift
    oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json
    oc -n hello-openshift expose pod/hello-openshift
    oc -n hello-openshift expose svc/hello-openshift

2. Send an HTTP request to the Route created in Step 1 using the route's host *without* a trailing dot:

    INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
    curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}/

3. Send an HTTP request to the Route using the route's host *with* a trailing dot:

    curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./


Actual results:

Step 2 results in an HTTP 200 response:

    % curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}/
    * About to connect() to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com port 80 (#0)
    *   Trying 35.185.121.200...
    * Connected to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com (35.185.121.200) port 80 (#0)
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < date: Fri, 11 Sep 2020 22:40:33 GMT
    < content-length: 17
    < content-type: text/plain; charset=utf-8
    < set-cookie: 5f0b3401a2c37e8a693db0102c7aba91=0a081daf523c9e92e77c522db9f297ad; path=/; HttpOnly
    < cache-control: private
    <
    Hello OpenShift!

Step 3 results in an HTTP 503 response:

        % curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./
    * About to connect() to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com. port 80 (#0)
    *   Trying 35.185.121.200...
    * Connected to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com. (35.185.121.200) port 80 (#0)
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com.
    > Accept: */*
    >
    * HTTP 1.0, assume close after body
    < HTTP/1.0 503 Service Unavailable
    < pragma: no-cache
    < cache-control: private, max-age=0, no-cache, no-store
    < content-type: text/html
    <
    [...]


Expected results:

Both Step 2 and Step 3 should result in HTTP 200 responses.


Additional info:

RFC 7230, section 5.4, specifies that the HTTP "host" header value includes the URI host as defined in RFC 3986, section 3.2.2, which indicates that a trailing dot is permitted.

Comment 2 Arvind iyengar 2020-09-16 09:06:45 UTC
The merge made into "4.6.0-0.nightly-2020-09-15-030633" release. The route remains reachable even with trailing dots added to it:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-09-15-030633   True        False         21h     Cluster version is  4.6.0-0.nightly-2020-09-15-030633

$ curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./
*   Trying 3.131.240.35:80...
* TCP_NODELAY set
* Connected to hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com (3.131.240.35) port 80 (#0)
> GET / HTTP/1.1
> Host: hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 16 Sep 2020 08:59:50 GMT
< content-length: 17
< content-type: text/plain; charset=utf-8
< set-cookie: 5f0b3401a2c37e8a693db0102c7aba91=840cc41421b2785a61ff72c75f816a53; path=/; HttpOnly
< cache-control: private
< 
Hello OpenShift!
* Connection #0 to host hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com left intact
-----


Note You need to log in before you can comment on or make changes to this bug.