Opened 7 years ago
Closed 5 years ago
#28754 closed Bug (invalid)
validate_ipv46_address validator allows IP addresses to begin with a first octet of zero
| Reported by: | frankston | Owned by: | |
|---|---|---|---|
| Component: | Core (Other) | Version: | 1.11 |
| Severity: | Normal | Keywords: | IP, regular expression |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The regular expression used by the validate_ipv46_address validator allows IP addresses to begin with a first octet of zero.
For example the following IPs are incorrectly identified as being valid:
0.1.2.3
0.90.11.2
As a side note the ping command (on Ubuntu at least) sees this as an invalid IP:
~$ ping 0.1.2.3
connect: Invalid argument
Change History (8)
comment:1 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 7 years ago
comment:3 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:5 by , 7 years ago
| Has patch: | set |
|---|
Specifically, my concern is that the proposed regular expression is much more complicated and less readable. Part of that concern is because we've had security issues due to complicated regular expressions that are vulnerable to catastrophic backtracking.
Tim, pull requests should go to the master branch rather than a stable branch. The committer will take care of backporting if needed, but this fix doesn't qualify for a backport to 1.11 based on our supported versions policy. Don't forget to check "Has patch" on the ticket so that it appears in the review queue. Generally, you may not want to work on a ticket until it's "Triage Stage" is moved to "Accepted" to indicate a consensus to make a change (although seeing a patch for this is helpful in determining if the additional complexity is worthwhile).
comment:6 by , 7 years ago
| Has patch: | unset |
|---|---|
| Triage Stage: | Unreviewed → Someday/Maybe |
As suggested on the pull request, we should check if cpython would fix this issue as Django uses ipaddress.IPv4Address for validation. If so, I don't think we need to patch Django just to fix this issue for older versions of Python.
comment:7 by , 7 years ago
| Easy pickings: | unset |
|---|---|
| Owner: | removed |
| Status: | assigned → new |
comment:8 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
- Since #27793, Django's IP address validation is a think wrapper around Python's
ipaddressmodule, we don't use regexps anymore. As far as I can tell, no issue was ever opened against cpython to request that leading 0 in IP addresses be marked as invalid [1]. - I can't find a reference explaining why IP address starting with 0 would be invalid (RFC 1700 [2] says they are valid but "can only be used as a source address"). On my machine,
ping 0.1.2.3does not give any error.
For these reasons, I'm going to mark this ticket as invalid. Feel free to reopen if I've missed something or if you disagree.
[1] https://bugs.python.org/issue?%40search_text=&ignore=file%3Acontent&title=ipaddress&%40columns=title&id=&%40columns=id&stage=&creation=&creator=&activity=&%40columns=activity&%40sort=activity&actor=&nosy=&type=&components=&versions=&dependencies=&assignee=&keywords=&priority=&status=&%40columns=status&resolution=&nosy_count=&message_count=&%40group=&%40pagesize=50&%40startwith=0&%40sortdir=on&%40action=search
[2] https://tools.ietf.org/html/rfc1700#page-4
"0.0.0.0" is listed as a valid address in Django's tests. I'm not sure if it's worth prohibiting other addresses that start with 0.