On 27/03/2024 17:05, Sergey Chernyshev wrote:
In the discussion of .ofLiteral() it was not concluded that
.ofPosixLiteral() would be insecure or undesirable. From the 'security
issues' point of view, it is a new method, it won't change the
behavior of old apps. If any code (a csrf filter) written in Java
recognized (knowing what it does) additional literal address formats,
it would only be an improvement (in detection). The good reason is
bringing compatibility with standard tools relying on inet_addr() into
Java, that would actually help overcoming the confusion between the
standards. A real world example could be a Java program parsing HOSTS
file (it allows hexadecimal address segments).
Again, please start a new discussion on net-dev. It would be helpful to
include a summary on the behavior between different operating system as
it's that difference, and the parsing of ambiguous corner cases, where
the security researchers will focus on.
-Alan