Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/netip: IPv4 parser accepts leading zeroes #49365

Closed
FiloSottile opened this issue Nov 4, 2021 · 3 comments
Closed

net/netip: IPv4 parser accepts leading zeroes #49365

FiloSottile opened this issue Nov 4, 2021 · 3 comments
Labels
NeedsFix release-blocker Security
Milestone

Comments

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Nov 4, 2021

In Go 1.17 we took a backwards compatibility hit to reject IPv4 addresses with leading zeroes in net.ParseIP (#30999) because they can be parsed differently (as octal) by the operating system, leading to potentially security sensistive mismatches.

netip.ParseAddr reintroduces the behavior we removed from net.ParseIP. That sounds wrong for all the reasons we decided to change net.ParseIP, and because it's now inconsistent with net.ParseIP.

@FiloSottile FiloSottile added this to the Go1.18 milestone Nov 4, 2021
@ianlancetaylor ianlancetaylor added the NeedsFix label Nov 4, 2021
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Nov 4, 2021

CC @bradfitz @josharian

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Nov 4, 2021

Will fix. We actually had it fixed but changed to match net.ParseIP at the time.

@gopherbot
Copy link

@gopherbot gopherbot commented Nov 5, 2021

Change https://golang.org/cl/361534 mentions this issue: net/netip: don't accept ParseAddr with leading zeros

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix release-blocker Security
Projects
None yet
Development

No branches or pull requests

4 participants