Author vstinner
Recipients Joel Croteau, christian.heimes, docs@python, eric.smith, gc2, lukasz.langa, ncoghlan, ned.deily, pmoody, serhiy.storchaka, steve.dower, vstinner
Date 2021-04-06.17:19:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1617729541.65.0.12208326274.issue36384@roundup.psfhosted.org>
In-reply-to
Content
> In this case, having it off by default goes further to prevent breakage

PyYAML was unsafe by default: it allowed to execute arbitary Python code by default. It took years to change the default to "safe". I don't think that adding a parameter for opt-in for security is a good approach. An application can use ipaddress internally without being aware of using it, if it's done by a third party module. It's hard to prevent security vulnerabilities if people have to "opt-in" for security.

I prefer to break code and force people to manually get back the old behavior. It's better to make 90% safe by default but make 10% of people unhappy.

It's uncommon to pass IPv4 addresses with leading zeros.

If you want to tolerate leading zeros, you don't have to modify the ipaddress for that, you can pre-process your inputs: it works on any Python version with or without the fix.

>>> def reformat_ip(address): return '.'.join(part.lstrip('0') if part != '0' else part for part in address.split('.'))
... 
>>> reformat_ip('0127.0.0.1')
'127.0.0.1'

Or with an explicit loop for readability:

def reformat_ip(address):
    parts = []
    for part in address.split('.'):
        if part != "0":
            part = part.lstrip('0')
        parts.append(part)
    return '.'.join(parts)
History
Date User Action Args
2021-04-06 17:19:01vstinnersetrecipients: + vstinner, ncoghlan, eric.smith, christian.heimes, ned.deily, pmoody, docs@python, lukasz.langa, serhiy.storchaka, steve.dower, Joel Croteau, gc2
2021-04-06 17:19:01vstinnersetmessageid: <1617729541.65.0.12208326274.issue36384@roundup.psfhosted.org>
2021-04-06 17:19:01vstinnerlinkissue36384 messages
2021-04-06 17:19:01vstinnercreate