validate_ipv4_address (and probably other validators) accept non-ASCII digits

[Martin Dickopp]

validate_ipv4_address incorrectly accepts values that contain non-ASCII digits, e.g. 127.0.0.൧ (where the last character is U+0D67) in Python 3. This appears to be caused by the use of \d in the regular expression, which matches not only ASCII digits [0-9], but any Unicode digit.

Other validators that use \d may be affected as well.

[Claude Paroz]

See also #22378.

[Iacopo Spalletti]

I'm willing to work on this. Following what has been done in #22378 fix is replacing \d with [0-9]+ in relevant validators

[Emett Speer]

I would suggest something a little more extensive for validating IP addresses. This will get almost all invalid IP addresses. Though it does still have problems with an IP address like "192.168.00.10".

"^{(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"}

[Tim Graham]

Well, actually we're trying to simplify the regular expressions we use at least in some other places (e.g. #26423). Complex regular expressions are difficult to maintain and have resulted in recursive backtracking security issues.

[Emett Speer]

Replying to timgraham:

Well, actually we're trying to simplify the regular expressions we use at least in some other places (e.g. #26423). Complex regular expressions are difficult to maintain and have resulted in recursive backtracking security issues.

If having a more complex but more accurate regex validation could cause a security issue then its not worth it.

[Tim Graham]

The ​PR could use a few more tests.

[Tim Graham <timograham@…>]

In 21dd7923:

Fixed #26578 -- Prohibited non-ASCII digits in validate_ipv4_address.