Christian Heimes <li...@cheimes.de> added the comment:
Serhiy was right, this is a security issue. The patch should not have landed in 3.8. At a bare minimum the patch should have been postponed until documentation was updated. Since 3.8 the ipaddresss does not behave as documented. A similar security issue in NPM was published two days ago, CVE-2021-28918. I proposed to not only revert the change, but also tighten the check for leading zeros so it behaves like glibc's inet_pton(). It refuses any IPv4 string with a leading zero. >>> socket.inet_pton(socket.AF_INET, "01.1.1.1") Traceback (most recent call last): File "<stdin>", line 1, in <module> OSError: illegal IP address string passed to inet_pton >>> socket.inet_pton(socket.AF_INET, "1.1.1.01") Traceback (most recent call last): File "<stdin>", line 1, in <module> OSError: illegal IP address string passed to inet_pton ---------- components: +Library (Lib) keywords: +3.8regression, 3.9regression -3.2regression nosy: +christian.heimes priority: normal -> critical type: behavior -> security versions: +Python 3.10, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36384> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com