Opened 3 weeks ago

Last modified 13 days ago

#28754 assigned Bug

validate_ipv46_address validator allows IP addresses to begin with a first octet of zero

Reported by: frankston Owned by: Tim G.
Component: Core (Other) Version: 1.11
Severity: Normal Keywords: IP, regular expression
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by frankston)

The regular expression used by the validate_ipv46_address validator allows IP addresses to begin with a first octet of zero.

For example the following IPs are incorrectly identified as being valid:

As a side note the ping command (on Ubuntu at least) sees this as an invalid IP:
~$ ping
connect: Invalid argument

Change History (6)

comment:1 Changed 3 weeks ago by frankston

Description: modified (diff)

comment:2 Changed 3 weeks ago by Tim Graham

"" is listed as a valid address in Django's tests. I'm not sure if it's worth prohibiting other addresses that start with 0.

comment:3 Changed 3 weeks ago by Tim G.

Owner: changed from nobody to Tim G.
Status: newassigned

comment:4 Changed 3 weeks ago by Tim G.

comment:5 Changed 3 weeks ago by Tim Graham

Has patch: set

Specifically, my concern is that the proposed regular expression is much more complicated and less readable. Part of that concern is because we've had security issues due to complicated regular expressions that are vulnerable to catastrophic backtracking.

Tim, pull requests should go to the master branch rather than a stable branch. The committer will take care of backporting if needed, but this fix doesn't qualify for a backport to 1.11 based on our supported versions policy. Don't forget to check "Has patch" on the ticket so that it appears in the review queue. Generally, you may not want to work on a ticket until it's "Triage Stage" is moved to "Accepted" to indicate a consensus to make a change (although seeing a patch for this is helpful in determining if the additional complexity is worthwhile).

comment:6 Changed 13 days ago by Tim Graham

Has patch: unset
Triage Stage: UnreviewedSomeday/Maybe

As suggested on the pull request, we should check if cpython would fix this issue as Django uses ipaddress.IPv4Address for validation. If so, I don't think we need to patch Django just to fix this issue for older versions of Python.

Note: See TracTickets for help on using tickets.
Back to Top