|
 |
f068d2 |
diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
|
|
|
f068d2 |
index 2cdfddb..d464d2a 100644
|
|
|
f068d2 |
--- a/Doc/library/ipaddress.rst
|
|
|
f068d2 |
+++ b/Doc/library/ipaddress.rst
|
|
|
f068d2 |
@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are
|
|
|
f068d2 |
1. A string in decimal-dot notation, consisting of four decimal integers in
|
|
|
f068d2 |
the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
|
|
|
f068d2 |
integer represents an octet (byte) in the address. Leading zeroes are
|
|
|
f068d2 |
- tolerated only for values less than 8 (as there is no ambiguity
|
|
|
f068d2 |
- between the decimal and octal interpretations of such strings).
|
|
|
f068d2 |
+ not tolerated to prevent confusion with octal notation.
|
|
|
f068d2 |
2. An integer that fits into 32 bits.
|
|
|
f068d2 |
3. An integer packed into a :class:`bytes` object of length 4 (most
|
|
|
f068d2 |
significant octet first).
|
|
|
f068d2 |
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
|
|
|
f068d2 |
index 28b7b61..d351f07 100644
|
|
|
f068d2 |
--- a/Lib/ipaddress.py
|
|
|
f068d2 |
+++ b/Lib/ipaddress.py
|
|
|
f068d2 |
@@ -1173,6 +1173,11 @@ class _BaseV4:
|
|
|
f068d2 |
if len(octet_str) > 3:
|
|
|
f068d2 |
msg = "At most 3 characters permitted in %r"
|
|
|
f068d2 |
raise ValueError(msg % octet_str)
|
|
|
f068d2 |
+ # Handle leading zeros as strict as glibc's inet_pton()
|
|
|
f068d2 |
+ # See security bug bpo-36384
|
|
|
f068d2 |
+ if octet_str != '0' and octet_str[0] == '0':
|
|
|
f068d2 |
+ msg = "Leading zeros are not permitted in %r"
|
|
|
f068d2 |
+ raise ValueError(msg % octet_str)
|
|
|
f068d2 |
# Convert to integer (we know digits are legal)
|
|
|
f068d2 |
octet_int = int(octet_str, 10)
|
|
|
f068d2 |
if octet_int > 255:
|
|
|
f068d2 |
diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
|
|
|
f068d2 |
index 2f1c5b6..1297b83 100644
|
|
|
f068d2 |
--- a/Lib/test/test_ipaddress.py
|
|
|
f068d2 |
+++ b/Lib/test/test_ipaddress.py
|
|
|
f068d2 |
@@ -97,10 +97,23 @@ class CommonTestMixin:
|
|
|
f068d2 |
class CommonTestMixin_v4(CommonTestMixin):
|
|
|
f068d2 |
|
|
|
f068d2 |
def test_leading_zeros(self):
|
|
|
f068d2 |
- self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
|
|
|
f068d2 |
- self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
|
|
|
f068d2 |
- self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
|
|
|
f068d2 |
- self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
|
|
|
f068d2 |
+ # bpo-36384: no leading zeros to avoid ambiguity with octal notation
|
|
|
f068d2 |
+ msg = "Leading zeros are not permitted in '\d+'"
|
|
|
f068d2 |
+ addresses = [
|
|
|
f068d2 |
+ "000.000.000.000",
|
|
|
f068d2 |
+ "192.168.000.001",
|
|
|
f068d2 |
+ "016.016.016.016",
|
|
|
f068d2 |
+ "192.168.000.001",
|
|
|
f068d2 |
+ "001.000.008.016",
|
|
|
f068d2 |
+ "01.2.3.40",
|
|
|
f068d2 |
+ "1.02.3.40",
|
|
|
f068d2 |
+ "1.2.03.40",
|
|
|
f068d2 |
+ "1.2.3.040",
|
|
|
f068d2 |
+ ]
|
|
|
f068d2 |
+ for address in addresses:
|
|
|
f068d2 |
+ with self.subTest(address=address):
|
|
|
f068d2 |
+ with self.assertAddressError(msg):
|
|
|
f068d2 |
+ self.factory(address)
|
|
|
f068d2 |
|
|
|
f068d2 |
def test_int(self):
|
|
|
f068d2 |
self.assertInstancesEqual(0, "0.0.0.0")
|