|
 |
3c269c |
diff --git a/doc/go1.16.html b/doc/go1.16.html
|
|
|
3c269c |
index 0beb62d..fc6b668 100644
|
|
|
3c269c |
--- a/doc/go1.16.html
|
|
|
3c269c |
+++ b/doc/go1.16.html
|
|
|
3c269c |
@@ -891,6 +891,14 @@ func TestFoo(t *testing.T) {
|
|
|
3c269c |
is missing; this is common on musl-based systems and makes
|
|
|
3c269c |
Go programs match the behavior of C programs on those systems.
|
|
|
3c269c |
|
|
|
3c269c |
+
|
|
|
3c269c |
+ The ParseIP and ParseCIDR
|
|
|
3c269c |
+ functions now reject IPv4 addresses which contain decimal components with leading zeros.
|
|
|
3c269c |
+ These components were always interpreted as decimal, but some operating systems treat them as octal.
|
|
|
3c269c |
+ This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses
|
|
|
3c269c |
+ which were then used in their original form with non-Go applications which interpreted components as octal. Generally,
|
|
|
3c269c |
+ it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues.
|
|
|
3c269c |
+
|
|
|
3c269c |
|
|
|
3c269c |
|
|
|
3c269c |
|
|
|
3c269c |
diff --git a/src/net/hosts_test.go b/src/net/hosts_test.go
|
|
|
3c269c |
index f850e2f..19c4399 100644
|
|
|
3c269c |
--- a/src/net/hosts_test.go
|
|
|
3c269c |
+++ b/src/net/hosts_test.go
|
|
|
3c269c |
@@ -36,7 +36,7 @@ var lookupStaticHostTests = []struct {
|
|
|
3c269c |
},
|
|
|
3c269c |
},
|
|
|
3c269c |
{
|
|
|
3c269c |
- "testdata/ipv4-hosts", // see golang.org/issue/8996
|
|
|
3c269c |
+ "testdata/ipv4-hosts",
|
|
|
3c269c |
[]staticHostEntry{
|
|
|
3c269c |
{"localhost", []string{"127.0.0.1", "127.0.0.2", "127.0.0.3"}},
|
|
|
3c269c |
{"localhost.localdomain", []string{"127.0.0.3"}},
|
|
|
3c269c |
@@ -102,7 +102,7 @@ var lookupStaticAddrTests = []struct {
|
|
|
3c269c |
},
|
|
|
3c269c |
},
|
|
|
3c269c |
{
|
|
|
3c269c |
- "testdata/ipv4-hosts", // see golang.org/issue/8996
|
|
|
3c269c |
+ "testdata/ipv4-hosts",
|
|
|
3c269c |
[]staticHostEntry{
|
|
|
3c269c |
{"127.0.0.1", []string{"localhost"}},
|
|
|
3c269c |
{"127.0.0.2", []string{"localhost"}},
|
|
|
3c269c |
diff --git a/src/net/ip.go b/src/net/ip.go
|
|
|
3c269c |
index c00fe8e..007f3f7 100644
|
|
|
3c269c |
--- a/src/net/ip.go
|
|
|
3c269c |
+++ b/src/net/ip.go
|
|
|
3c269c |
@@ -552,6 +552,10 @@ func parseIPv4(s string) IP {
|
|
|
3c269c |
if !ok || n > 0xFF {
|
|
|
3c269c |
return nil
|
|
|
3c269c |
}
|
|
|
3c269c |
+ if c > 1 && s[0] == '0' {
|
|
|
3c269c |
+ // Reject non-zero components with leading zeroes.
|
|
|
3c269c |
+ return nil
|
|
|
3c269c |
+ }
|
|
|
3c269c |
s = s[c:]
|
|
|
3c269c |
p[i] = byte(n)
|
|
|
3c269c |
}
|
|
|
3c269c |
diff --git a/src/net/ip_test.go b/src/net/ip_test.go
|
|
|
3c269c |
index a5fc5e6..585381d 100644
|
|
|
3c269c |
--- a/src/net/ip_test.go
|
|
|
3c269c |
+++ b/src/net/ip_test.go
|
|
|
3c269c |
@@ -20,9 +20,7 @@ var parseIPTests = []struct {
|
|
|
3c269c |
}{
|
|
|
3c269c |
{"127.0.1.2", IPv4(127, 0, 1, 2)},
|
|
|
3c269c |
{"127.0.0.1", IPv4(127, 0, 0, 1)},
|
|
|
3c269c |
- {"127.001.002.003", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
{"::ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
- {"::ffff:127.001.002.003", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
{"::ffff:7f01:0203", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
{"0:0:0:0:0000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
{"0:0:0:0:000000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
|
|
3c269c |
@@ -42,6 +40,11 @@ var parseIPTests = []struct {
|
|
|
3c269c |
{"fe80::1%911", nil},
|
|
|
3c269c |
{"", nil},
|
|
|
3c269c |
{"a1:a2:a3:a4::b1:b2:b3:b4", nil}, // Issue 6628
|
|
|
3c269c |
+ {"127.001.002.003", nil},
|
|
|
3c269c |
+ {"::ffff:127.001.002.003", nil},
|
|
|
3c269c |
+ {"123.000.000.000", nil},
|
|
|
3c269c |
+ {"1.2..4", nil},
|
|
|
3c269c |
+ {"0123.0.0.1", nil},
|
|
|
3c269c |
}
|
|
|
3c269c |
|
|
|
3c269c |
func TestParseIP(t *testing.T) {
|
|
|
3c269c |
@@ -357,6 +360,7 @@ var parseCIDRTests = []struct {
|
|
|
3c269c |
{"0.0.-2.0/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.-2.0/32"}},
|
|
|
3c269c |
{"0.0.0.-3/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.-3/32"}},
|
|
|
3c269c |
{"0.0.0.0/-0", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.0/-0"}},
|
|
|
3c269c |
+ {"127.000.000.001/32", nil, nil, &ParseError{Type: "CIDR address", Text: "127.000.000.001/32"}},
|
|
|
3c269c |
{"", nil, nil, &ParseError{Type: "CIDR address", Text: ""}},
|
|
|
3c269c |
}
|
|
|
3c269c |
|
|
|
3c269c |
diff --git a/src/net/testdata/ipv4-hosts b/src/net/testdata/ipv4-hosts
|
|
|
3c269c |
index 5208bb4..6b99675 100644
|
|
|
3c269c |
--- a/src/net/testdata/ipv4-hosts
|
|
|
3c269c |
+++ b/src/net/testdata/ipv4-hosts
|
|
|
3c269c |
@@ -1,12 +1,8 @@
|
|
|
3c269c |
# See https://tools.ietf.org/html/rfc1123.
|
|
|
3c269c |
-#
|
|
|
3c269c |
-# The literal IPv4 address parser in the net package is a relaxed
|
|
|
3c269c |
-# one. It may accept a literal IPv4 address in dotted-decimal notation
|
|
|
3c269c |
-# with leading zeros such as "001.2.003.4".
|
|
|
3c269c |
|
|
|
3c269c |
# internet address and host name
|
|
|
3c269c |
127.0.0.1 localhost # inline comment separated by tab
|
|
|
3c269c |
-127.000.000.002 localhost # inline comment separated by space
|
|
|
3c269c |
+127.0.0.2 localhost # inline comment separated by space
|
|
|
3c269c |
|
|
|
3c269c |
# internet address, host name and aliases
|
|
|
3c269c |
-127.000.000.003 localhost localhost.localdomain
|
|
|
3c269c |
+127.0.0.3 localhost localhost.localdomain
|