Message 271365 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mattrobenolt
Recipients	eryksun, koobs, mattrobenolt, ned.deily, r.david.murray, ronaldoussoren, vstinner, xiang.zhang
Date	2016-07-26.13:30:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1469539808.11.0.635862155523.issue27612@psf.upfronthosting.co.za>
In-reply-to

Content
> Why do you need octal addresses? What is your use case? :-p I didn't, but an attacker leveraged this to bypass security. We had checks against `127.0.0.1`, but this resolved to `177.0.0.1` incorrectly, bypassing the check. We were using `socket.gethostbyname` which yielded this. See https://github.com/getsentry/sentry/pull/3787 for a little bit more context.

> Why do you need octal addresses? What is your use case? :-p

I didn't, but an attacker leveraged this to bypass security. We had checks against `127.0.0.1`, but this resolved to `177.0.0.1` incorrectly, bypassing the check. We were using `socket.gethostbyname` which yielded this.

See https://github.com/getsentry/sentry/pull/3787 for a little bit more context.

History
Date	User	Action	Args
2016-07-26 13:30:08	mattrobenolt	set	recipients: + mattrobenolt, ronaldoussoren, vstinner, ned.deily, r.david.murray, koobs, eryksun, xiang.zhang
2016-07-26 13:30:08	mattrobenolt	set	messageid: <1469539808.11.0.635862155523.issue27612@psf.upfronthosting.co.za>
2016-07-26 13:30:08	mattrobenolt	link	issue27612 messages
2016-07-26 13:30:08	mattrobenolt	create