Trailing Dots Are the Worst
6 hours ago
- #URL parsing
- #trailing dots
- #curl
- Trailing dots after hostnames in URLs cause persistent problems in curl.
- In curl 8.21.0, three new issues involving trailing dots were fixed: IPv4 address validation, double trailing dots in HSTS, and cookie domain checks.
- For IPv4 addresses with trailing dots, curl now removes the dot during normalization, aligning with browser behavior, though some users expect an error.
- Double trailing dots are now banned in curl due to conflicts in HSTS logic and other internal processes.
- A CVE-2026-8924 vulnerability involved trailing dots bypassing PSL checks for cookie domains, fixed in curl 8.21.0.
- The author expresses frustration with trailing dots and debates whether removing dots or returning errors is better.