net/netip: IPv4 parser accepts leading zeroes #49365
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
ianlancetaylor
added
the
NeedsFix
|
Will fix. We actually had it fixed but changed to match net.ParseIP at the time. |
|
Change https://golang.org/cl/361534 mentions this issue: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In Go 1.17 we took a backwards compatibility hit to reject IPv4 addresses with leading zeroes in net.ParseIP (#30999) because they can be parsed differently (as octal) by the operating system, leading to potentially security sensistive mismatches.
netip.ParseAddr reintroduces the behavior we removed from net.ParseIP. That sounds wrong for all the reasons we decided to change net.ParseIP, and because it's now inconsistent with net.ParseIP.
The text was updated successfully, but these errors were encountered: