Message389826
Serhiy was right, this is a security issue.
The patch should not have landed in 3.8. At a bare minimum the patch should have been postponed until documentation was updated. Since 3.8 the ipaddresss does not behave as documented. A similar security issue in NPM was published two days ago, CVE-2021-28918.
I proposed to not only revert the change, but also tighten the check for leading zeros so it behaves like glibc's inet_pton(). It refuses any IPv4 string with a leading zero.
>>> socket.inet_pton(socket.AF_INET, "01.1.1.1")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: illegal IP address string passed to inet_pton
>>> socket.inet_pton(socket.AF_INET, "1.1.1.01")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: illegal IP address string passed to inet_pton |
|
Date |
User |
Action |
Args |
2021-03-30 14:23:11 | christian.heimes | set | recipients:
+ christian.heimes, ncoghlan, eric.smith, ned.deily, pmoody, docs@python, serhiy.storchaka, Joel Croteau |
2021-03-30 14:23:11 | christian.heimes | set | messageid: <1617114191.27.0.130588410785.issue36384@roundup.psfhosted.org> |
2021-03-30 14:23:11 | christian.heimes | link | issue36384 messages |
2021-03-30 14:23:11 | christian.heimes | create | |
|