diff options
author | Roland Shoemaker <roland@golang.org> | 2021-06-07 10:21:29 -0700 |
---|---|---|
committer | Roland Shoemaker <roland@golang.org> | 2021-06-08 20:23:22 +0000 |
commit | d3e3d03666bbd8784007bbb78a75864aac786967 (patch) | |
tree | 5c0b6e64637e06eb3bad0d0247848b52d2b5da7d /doc | |
parent | da4a64014140adf83fb1434367ff68067249c267 (diff) | |
download | go-d3e3d03666bbd8784007bbb78a75864aac786967.tar.gz go-d3e3d03666bbd8784007bbb78a75864aac786967.zip |
net: reject leading zeros in IP address parsers
In both net.ParseIP and net.ParseCIDR reject leading zeros in the
dot-decimal notation of IPv4 addresses.
Fixes #30999
Fixes #43389
Change-Id: I2b6a31fe84db89ac828cf5ed03eaa586ee96ab68
Reviewed-on: https://go-review.googlesource.com/c/go/+/325829
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/go1.17.html | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/go1.17.html b/doc/go1.17.html index 3a1b43a4e5..56f88e6724 100644 --- a/doc/go1.17.html +++ b/doc/go1.17.html @@ -639,6 +639,16 @@ Do not send CLs removing the interior tags from such phrases. <a href="/pkg/net/#ParseError"><code>ParseError</code></a> error type now implement the <a href="/pkg/net/#Error"><code>net.Error</code></a> interface. </p> + + <p><!-- CL325829 --> + The <a href="/pkg/net/#ParseIP"><code>ParseIP</code></a> and <a href="/pkg/net/#ParseCIDR"><code>ParseCIDR</code></a> + functions now reject IPv4 addresses which contain decimal components with leading zeros. + + These components were always interpreted as decimal, but some operating systems treat them as octal. + This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses + which were then used in their original form with non-Go applications which interpreted components as octal. Generally, + it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues. + </p> </dd> </dl><!-- net --> |