diff options
Diffstat (limited to 'doc/go1.17.html')
| -rw-r--r-- | doc/go1.17.html | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/go1.17.html b/doc/go1.17.html index 3a1b43a4e5..56f88e6724 100644 --- a/doc/go1.17.html +++ b/doc/go1.17.html @@ -639,6 +639,16 @@ Do not send CLs removing the interior tags from such phrases. <a href="/pkg/net/#ParseError"><code>ParseError</code></a> error type now implement the <a href="/pkg/net/#Error"><code>net.Error</code></a> interface. </p> + + <p><!-- CL325829 --> + The <a href="/pkg/net/#ParseIP"><code>ParseIP</code></a> and <a href="/pkg/net/#ParseCIDR"><code>ParseCIDR</code></a> + functions now reject IPv4 addresses which contain decimal components with leading zeros. + + These components were always interpreted as decimal, but some operating systems treat them as octal. + This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses + which were then used in their original form with non-Go applications which interpreted components as octal. Generally, + it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues. + </p> </dd> </dl><!-- net --> |