Make WordPress Core

Opened 12 years ago

Last modified 5 years ago

#21994 new enhancement

Subdomains may not exceed 63 characters in length

Reported by: humanshell's profile humanshell Owned by:
Milestone: Priority: low
Severity: normal Version: 3.4
Component: Networks and Sites Keywords: has-patch
Focuses: multisite Cc:


According to section 3.1 "Name space specifications and terminology" of RFC1034, domain names are nodes in a tree structure and "Each node has a label, which is zero to 63 octets in length."

WP should help to correctly enforce this requirement, so I've attached a patch that adds a maxlength="63" attribute on the input field on line 126 of wp-admin/network/site-new.php. This should help sites and network admins prevent the creation of blogs hosted on subdomain installs that will not resolve properly, and at the same time allow for maximum length subdomains.

Attachments (2)

wp-subdomain-maxlength-REV1.diff (950 bytes) - added by humanshell 12 years ago.
21994.diff (1.5 KB) - added by jeremyfelt 10 years ago.

Download all attachments as: .zip

Change History (14)

#1 @boonebgorges
12 years ago

  • Cc boonebgorges@… added

There should also probably be some server-side validation going on here. At the moment, if you enter a subdomain longer than 63 characters, WP will allow the blog to be created, but then it will be accessible through a browser.

#2 @wonderboymusic
12 years ago

Later on down the RFC......:

To simplify implementations, the total number of octets that represent a
domain name (i.e., the sum of all label octets and label lengths) is
limited to 255.

#3 @wonderboymusic
12 years ago

This URL is over 300 characters, has a node that is over 63, and totally works when I set it up locally:


#4 @dd32
12 years ago

This URL is over 300 characters, has a node that is over 63, and totally works when I set it up locally:

Yeah, many systems are known to ignore that RFC limitation, but there are other systems (ie. DNS servers) which are known to limit to the RFC as well.

#5 @SergeyBiryukov
12 years ago

  • Version changed from trunk to 3.4

#6 @jeremyfelt
10 years ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to low

It would be interesting to visit this at some point in an attempt to help guide toward best practice.

As Boone mentioned, this should happen server side rather than with the maxchars attribute on the input field. We should probably use a filter to allow for this to be overridden.

#7 @jeremyfelt
10 years ago

  • Milestone changed from Future Release to 3.9

Moving to 3.9 for discussion. This should be addressed as part of a domain strategy with multisite.

#8 @jeremyfelt
10 years ago

  • Component changed from Network Admin to Networks and Sites

10 years ago

#9 @jeremyfelt
10 years ago

  • Keywords has-patch added; needs-patch removed

21994.diff adds a strlen() check to the new site process for both subdomain and domain. A max of 63 characters for the label and a max of 255 characters for the full domain.

RFC1034 doesn't really clarify, but per RFC 2181, 255 is the total limit for a domain name rather than the sum of all labels without separators.

Another interesting note from RFC 1034 that this doesn't attempt to address:

Brother nodes may not have the same label, although the same label can be used for nodes which are not brothers.

#10 @nacin
10 years ago

Trying to think, does this have the potential to break when multibyte overloading is used?

#11 @jeremyfelt
10 years ago

  • Milestone changed from 3.9 to Future Release

21994.diff is a pretty cheap attempt. There are probably other places beyond the new site form that we can touch this in. Pushing to a future release.

This ticket was mentioned in Slack in #core-multisite by rmccue. View the logs.

9 years ago

Note: See TracTickets for help on using tickets.