Comments (3)
seancfoley
commented on June 2, 2024
1
I may think about this some more, but my first thoughts are that:
- it seems odd to be taking one number and converting it to some other number. It's hard to see why anyone would want this.
- it's not clear to me this truncation was ever intended, although it is clear there are plenty of tools (eg firefox and ping) that do this truncation wrt IPv4
- if I allow this by default, I'll probably get issues opened up by people claiming that an obviously invalid address is being accepted as valid
- when you are using the same parser to parse IPv6, it gets even murkier, there is no reason to assume you should truncate to get an IPv4 value, and it clashes with the support for single-segment hex IPv6 addresses
- unlike inet_aton in general, this does not seem like a security issue (like CVE-2021-29921), since this library rejects the initial value, rather than parsing it as something different
So, with my current thinking, I might allow this truncation with some kind of validation option, but for the moment I am leaning against allowing these IPv4 addresses by default.
from ipaddress.
seancfoley
commented on June 2, 2024
1
I added the IPv4 parsing parameter allow_inet_aton_extraneous_digits to version 5.5.0. You have to use IPAddressStringParameters to use parsing options, there is an example showing the use of using parsing options in issue #123. When you choose this new IPv4 parsing option it will allow extra characters when parsing IPv4, although a given address might clash with IPv6. When you choose the option while also choosing to disallow IPv6, it will allow unlimited extra characters and mimic exactly the behaviour shown here. As I indicated before, I chose to not make it the default behaviour because it clashes with IPv6 and it seems to me most people would not prefer this behaviour. However, I added it so that people can choose to parse IPv4 in ways that are backwards compatible.
Closing.
from ipaddress.
seancfoley
commented on June 2, 2024
This is the first time I've seen such a claim, that whatever number you choose will be truncated to 32 bits. This might clash with the heuristics used to distinguish ipv4 from ipv6, since a 32 char (128 bit) hex value is interpreted as an IPv6 address.
I'm also seeing that this is not consistent amongst browsers, since chrome will not treat that as an address, while it is true that firefox will.
inet_aton does not make this clear: "The value a is interpreted as a 32-bit value". It is not clear what "interpreted" means.
from ipaddress.
Related Issues (20)
- Have you considered the performance of using [Adaptive-Radix-Tree] to further improve the performance of the IP address search? HOT 3
- How to quickly find all objects that may be associated with a specific IP address using IPAddressTrie? HOT 1
- Some ideas about trie trees HOT 2
- [Help]How to check the single IPv6 address valid. HOT 1
- Issue with isZero and isMax HOT 4
- Improve OpenSSF Scorecard Score HOT 2
- Loop through IPAddress list that contains both v4 and v6 HOT 5
- "192.168.1" being parsed to "192.168.0.1" HOT 1
- Questions about CRID format HOT 2
- How to quickly find all objects that may be associated with a specific IP address using IPAddressTrie by longest match? HOT 8
- bug? HOT 4
- isSubnetContainsOtherSubnet HOT 2
- new IPAddressBitsDivision leads to infinite loop HOT 12
- IPv6, Net Mask, contains() HOT 1
- AddressDivisionBase dependent on jdk 9 HOT 3
- Too short IP range when bits are set in first host address HOT 4
- Is there a method for parse string from IPAddress::toFullString back to IPAddress HOT 2
- IPAddressString Support Format startIP-endIP for IP range HOT 1
- isValid() method returns True for non-standard IP address notation HOT 3
- After upgrade to spring boot 2.7 i'm getting two ip match HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ipaddress.