Bug 1878319 - Having a trailing dot in the host when requesting a Route elicits an HTTP 503 response
Summary: Having a trailing dot in the host when requesting a Route elicits an HTTP 503...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.6.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-11 23:07 UTC by Miciah Dashiel Butler Masters
Modified: 2022-08-04 22:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:40:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 180 0 None closed Bug 1878319: Allow trailing dots in host names 2021-02-17 15:30:13 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:40:34 UTC

Description Miciah Dashiel Butler Masters 2020-09-11 23:07:39 UTC 
Description of problem:

If I send an HTTP request for a Route to an ingress controller, and the request includes a trailing dot in the host name, then the ingress controller responds with an HTTP 503 error response.


Version-Release number of selected component (if applicable):

4.6.0-0.ci-2020-09-11-154332


How reproducible:

Easily.


Steps to Reproduce:

1. Create a test application Pod, Service, and Route:

    oc adm new-project hello-openshift
    oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json
    oc -n hello-openshift expose pod/hello-openshift
    oc -n hello-openshift expose svc/hello-openshift

2. Send an HTTP request to the Route created in Step 1 using the route's host *without* a trailing dot:

    INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
    curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}/

3. Send an HTTP request to the Route using the route's host *with* a trailing dot:

    curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./


Actual results:

Step 2 results in an HTTP 200 response:

    % curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}/
    * About to connect() to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com port 80 (#0)
    *   Trying 35.185.121.200...
    * Connected to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com (35.185.121.200) port 80 (#0)
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < date: Fri, 11 Sep 2020 22:40:33 GMT
    < content-length: 17
    < content-type: text/plain; charset=utf-8
    < set-cookie: 5f0b3401a2c37e8a693db0102c7aba91=0a081daf523c9e92e77c522db9f297ad; path=/; HttpOnly
    < cache-control: private
    <
    Hello OpenShift!

Step 3 results in an HTTP 503 response:

        % curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./
    * About to connect() to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com. port 80 (#0)
    *   Trying 35.185.121.200...
    * Connected to hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com. (35.185.121.200) port 80 (#0)
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: hello-openshift-hello-openshift.apps.ci-ln-5510vdk-f76d1.origin-ci-int-gce.dev.openshift.com.
    > Accept: */*
    >
    * HTTP 1.0, assume close after body
    < HTTP/1.0 503 Service Unavailable
    < pragma: no-cache
    < cache-control: private, max-age=0, no-cache, no-store
    < content-type: text/html
    <
    [...]


Expected results:

Both Step 2 and Step 3 should result in HTTP 200 responses.


Additional info:

RFC 7230, section 5.4, specifies that the HTTP "host" header value includes the URI host as defined in RFC 3986, section 3.2.2, which indicates that a trailing dot is permitted.
Comment 2 Arvind iyengar 2020-09-16 09:06:45 UTC 
The merge made into "4.6.0-0.nightly-2020-09-15-030633" release. The route remains reachable even with trailing dots added to it:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-09-15-030633   True        False         21h     Cluster version is  4.6.0-0.nightly-2020-09-15-030633

$ curl -v http://hello-openshift-hello-openshift.${INGRESS_DOMAIN}./
*   Trying 3.131.240.35:80...
* TCP_NODELAY set
* Connected to hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com (3.131.240.35) port 80 (#0)
> GET / HTTP/1.1
> Host: hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 16 Sep 2020 08:59:50 GMT
< content-length: 17
< content-type: text/plain; charset=utf-8
< set-cookie: 5f0b3401a2c37e8a693db0102c7aba91=840cc41421b2785a61ff72c75f816a53; path=/; HttpOnly
< cache-control: private
< 
Hello OpenShift!
* Connection #0 to host hello-openshift-hello-openshift.apps.oc46-aiyengar-1509.qe.devcluster.openshift.com left intact
-----
Comment 5 errata-xmlrpc 2020-10-27 16:40:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196
Note You need to log in before you can comment on or make changes to this bug.