Home Original page

Message 389826 - Python tracker

Message389826

Author christian.heimes
Recipients Joel Croteau, christian.heimes, docs@python, eric.smith, ncoghlan, ned.deily, pmoody, serhiy.storchaka
Date 2021-03-30.14:23:11
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1617114191.27.0.130588410785.issue36384@roundup.psfhosted.org>
In-reply-to
Content 
Serhiy was right, this is a security issue.

The patch should not have landed in 3.8. At a bare minimum the patch should have been postponed until documentation was updated. Since 3.8 the ipaddresss does not behave as documented. A similar security issue in NPM was published two days ago, CVE-2021-28918.

I proposed to not only revert the change, but also tighten the check for leading zeros so it behaves like glibc's inet_pton(). It refuses any IPv4 string with a leading zero.

>>> socket.inet_pton(socket.AF_INET, "01.1.1.1")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: illegal IP address string passed to inet_pton
>>> socket.inet_pton(socket.AF_INET, "1.1.1.01")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: illegal IP address string passed to inet_pton
History
Date User Action Args
2021-03-30 14:23:11christian.heimessetrecipients: + christian.heimes, ncoghlan, eric.smith, ned.deily, pmoody, docs@python, serhiy.storchaka, Joel Croteau
2021-03-30 14:23:11christian.heimessetmessageid: <1617114191.27.0.130588410785.issue36384@roundup.psfhosted.org>
2021-03-30 14:23:11christian.heimeslinkissue36384 messages
2021-03-30 14:23:11christian.heimescreate