Skip to content
Permalink
Browse files Browse the repository at this point in the history
Update security note in docs to include mention of is_ip() and friends
  • Loading branch information
autarch committed Mar 29, 2021
1 parent 7793a30 commit 3bba13c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 9 deletions.
4 changes: 4 additions & 0 deletions Changes
@@ -1,5 +1,9 @@
{{$NEXT}}

- Added some more details to the security docs to include mentions of the
is_*_ip() functions too.


0.29 2021-03-29

- Fixed a typo in the POD.
Expand Down
20 changes: 11 additions & 9 deletions lib/Data/Validate/IP.pm
Expand Up @@ -642,24 +642,26 @@ specific network or whether an address is public or private (reserved).
=head1 USAGE AND SECURITY RECOMMENDATIONS
It's important to understand that if C<is_ipv4($ip)> or C<is_ipv6($ip)> return
false, then all other validation functions for that IP address family will
I<also> return false. So for example, if C<is_ipv4($ip)> is false, so are both
C<is_private_ipv4($ip)> I<and> C<is_public_ipv4($ip)>.
It's important to understand that if C<is_ipv4($ip)>, C<is_ipv6($ip)>, or
C<is_ip($ip)> return false, then all other validation functions for that IP
address family will I<also> return false. So for example, if C<is_ipv4($ip)>
returns false, then C<is_private_ipv4($ip)> I<and> C<is_public_ipv4($ip)> will
both also return false.
This means that simply calling C<is_private_ipv4($ip)> by itself is not
sufficient if you are dealing with untrusted input. You should always check
C<is_ipv4($ip)> as well.
C<is_ipv4($ip)> as well. This applies as well when using IPv6 functions or
generic functions like C<is_private_ip($ip)>.
There are security implications to this around certain oddly formed
addresses. Notably, an address like "010.0.0.1" is technically valid, but the
operating system will treat "010" as an octal number. That means that
"010.0.0.1" is equivalent to "8.0.0.1", I<not> "10.0.0.1".
However, this module's C<is_ipv4($ip)> function will return false for
addresses like "010.0.0.1" which have octal components. And of course that
means that it also returns false for C<is_private_ipv4($ip)> I<and>
C<is_public_ipv4($ip)>.
However, this module's C<is_ipv4($ip)> and C<is_ip($ip)> functions will return
false for addresses like "010.0.0.1" which have octal components. And of
course that means that it also returns false for C<is_private_ipv4($ip)>
I<and> C<is_public_ipv4($ip)>.
=head1 FUNCTIONS
Expand Down

1 comment on commit 3bba13c

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2021-29662 was assigned to this commit.

Please sign in to comment.