net: reject leading zeros in IP address parsers

In both net.ParseIP and net.ParseCIDR reject leading zeros in the
dot-decimal notation of IPv4 addresses.

Fixes #30999
Fixes #43389

Change-Id: I2b6a31fe84db89ac828cf5ed03eaa586ee96ab68
Reviewed-on: https://go-review.googlesource.com/c/go/+/325829
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/go1.17.html b/doc/go1.17.html
index 3a1b43a4e5..56f88e6724 100644
--- a/doc/go1.17.html
+++ b/doc/go1.17.html
@@ -639,6 +639,16 @@ Do not send CLs removing the interior tags from such phrases.
       <a href="/pkg/net/#ParseError"><code>ParseError</code></a> error type now implement
       the <a href="/pkg/net/#Error"><code>net.Error</code></a> interface.
     </p>
+
+    <p><!-- CL325829 -->
+      The <a href="/pkg/net/#ParseIP"><code>ParseIP</code></a> and <a href="/pkg/net/#ParseCIDR"><code>ParseCIDR</code></a>
+      functions now reject IPv4 addresses which contain decimal components with leading zeros.
+
+      These components were always interpreted as decimal, but some operating systems treat them as octal.
+      This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses
+      which were then used in their original form with non-Go applications which interpreted components as octal. Generally,
+      it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues.
+    </p>
   </dd>
 </dl><!-- net -->