WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 14 months ago

#21994 new enhancement

Subdomains may not exceed 63 characters in length

Reported by: humanshell Owned by:
Milestone: Future Release Priority: low
Severity: normal Version: 3.4
Component: Networks and Sites Keywords: has-patch
Focuses: multisite Cc:

Description

According to section 3.1 "Name space specifications and terminology" of RFC1034, domain names are nodes in a tree structure and "Each node has a label, which is zero to 63 octets in length."

WP should help to correctly enforce this requirement, so I've attached a patch that adds a maxlength="63" attribute on the input field on line 126 of wp-admin/network/site-new.php. This should help sites and network admins prevent the creation of blogs hosted on subdomain installs that will not resolve properly, and at the same time allow for maximum length subdomains.

Attachments (2)

wp-subdomain-maxlength-REV1.diff (950 bytes) - added by humanshell 3 years ago.
21994.diff (1.5 KB) - added by jeremyfelt 14 months ago.

Download all attachments as: .zip

Change History (13)

comment:1 @boonebgorges3 years ago

  • Cc boonebgorges@… added

There should also probably be some server-side validation going on here. At the moment, if you enter a subdomain longer than 63 characters, WP will allow the blog to be created, but then it will be accessible through a browser.

comment:2 @wonderboymusic3 years ago

Later on down the RFC......:

To simplify implementations, the total number of octets that represent a
domain name (i.e., the sum of all label octets and label lengths) is
limited to 255.

comment:3 @wonderboymusic3 years ago

This URL is over 300 characters, has a node that is over 63, and totally works when I set it up locally:

http://seutperspiciatisundeomnisistenatuserrorsitvoluptatem.accusantiumdoloremque
laudantium.totamremaperiameaqueipsaquaeabillonventoreveritatisetquasiarchitectobe
ataevitaedictasuntexplicabohitectobeataevitaedictasuntexplicabohitectobeataevitaedict
asuntexplicabo908237527525727592572727wetuiowuwtwtthwktkjwthhkwhjkthjkhhttkhwekhtk/

comment:4 @dd323 years ago

This URL is over 300 characters, has a node that is over 63, and totally works when I set it up locally:

Yeah, many systems are known to ignore that RFC limitation, but there are other systems (ie. DNS servers) which are known to limit to the RFC as well.

comment:5 @SergeyBiryukov3 years ago

  • Version changed from trunk to 3.4

comment:6 @jeremyfelt17 months ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to low

It would be interesting to visit this at some point in an attempt to help guide toward best practice.

As Boone mentioned, this should happen server side rather than with the maxchars attribute on the input field. We should probably use a filter to allow for this to be overridden.

comment:7 @jeremyfelt15 months ago

  • Milestone changed from Future Release to 3.9

Moving to 3.9 for discussion. This should be addressed as part of a domain strategy with multisite.

comment:8 @jeremyfelt15 months ago

  • Component changed from Network Admin to Networks and Sites

@jeremyfelt14 months ago

comment:9 @jeremyfelt14 months ago

  • Keywords has-patch added; needs-patch removed

21994.diff adds a strlen() check to the new site process for both subdomain and domain. A max of 63 characters for the label and a max of 255 characters for the full domain.

RFC1034 doesn't really clarify, but per RFC 2181, 255 is the total limit for a domain name rather than the sum of all labels without separators.

Another interesting note from RFC 1034 that this doesn't attempt to address:

Brother nodes may not have the same label, although the same label can be used for nodes which are not brothers.

comment:10 @nacin14 months ago

Trying to think, does this have the potential to break when multibyte overloading is used?

comment:11 @jeremyfelt14 months ago

  • Milestone changed from 3.9 to Future Release

21994.diff is a pretty cheap attempt. There are probably other places beyond the new site form that we can touch this in. Pushing to a future release.

Note: See TracTickets for help on using tickets.