Opened 3 years ago

Closed 6 months ago

#28754 closed Bug (invalid)

validate_ipv46_address validator allows IP addresses to begin with a first octet of zero

Reported by: frankston Owned by:
Component: Core (Other) Version: 1.11
Severity: Normal Keywords: IP, regular expression
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by frankston)

The regular expression used by the validate_ipv46_address validator allows IP addresses to begin with a first octet of zero.

For example the following IPs are incorrectly identified as being valid:
0.1.2.3
0.90.11.2

As a side note the ping command (on Ubuntu at least) sees this as an invalid IP:
~$ ping 0.1.2.3
connect: Invalid argument

Change History (8)

comment:1 Changed 3 years ago by frankston

Description: modified (diff)

comment:2 Changed 3 years ago by Tim Graham

"0.0.0.0" is listed as a valid address in Django's tests. I'm not sure if it's worth prohibiting other addresses that start with 0.

comment:3 Changed 3 years ago by Tim G.

Owner: changed from nobody to Tim G.
Status: newassigned

comment:4 Changed 3 years ago by Tim G.

comment:5 Changed 3 years ago by Tim Graham

Has patch: set

Specifically, my concern is that the proposed regular expression is much more complicated and less readable. Part of that concern is because we've had security issues due to complicated regular expressions that are vulnerable to catastrophic backtracking.

Tim, pull requests should go to the master branch rather than a stable branch. The committer will take care of backporting if needed, but this fix doesn't qualify for a backport to 1.11 based on our supported versions policy. Don't forget to check "Has patch" on the ticket so that it appears in the review queue. Generally, you may not want to work on a ticket until it's "Triage Stage" is moved to "Accepted" to indicate a consensus to make a change (although seeing a patch for this is helpful in determining if the additional complexity is worthwhile).

comment:6 Changed 3 years ago by Tim Graham

Has patch: unset
Triage Stage: UnreviewedSomeday/Maybe

As suggested on the pull request, we should check if cpython would fix this issue as Django uses ipaddress.IPv4Address for validation. If so, I don't think we need to patch Django just to fix this issue for older versions of Python.

comment:7 Changed 2 years ago by Tim Graham

Easy pickings: unset
Owner: Tim G. deleted
Status: assignednew

comment:8 Changed 6 months ago by Baptiste Mispelon

Resolution: invalid
Status: newclosed
  • Since #27793, Django's IP address validation is a think wrapper around Python's ipaddress module, we don't use regexps anymore. As far as I can tell, no issue was ever opened against cpython to request that leading 0 in IP addresses be marked as invalid [1].
  • I can't find a reference explaining why IP address starting with 0 would be invalid (RFC 1700 [2] says they are valid but "can only be used as a source address"). On my machine, ping 0.1.2.3 does not give any error.

For these reasons, I'm going to mark this ticket as invalid. Feel free to reopen if I've missed something or if you disagree.

[1] https://bugs.python.org/issue?%40search_text=&ignore=file%3Acontent&title=ipaddress&%40columns=title&id=&%40columns=id&stage=&creation=&creator=&activity=&%40columns=activity&%40sort=activity&actor=&nosy=&type=&components=&versions=&dependencies=&assignee=&keywords=&priority=&status=&%40columns=status&resolution=&nosy_count=&message_count=&%40group=&%40pagesize=50&%40startwith=0&%40sortdir=on&%40action=search
[2] https://tools.ietf.org/html/rfc1700#page-4

Note: See TracTickets for help on using tickets.
Back to Top