+59
-8
lines changedFilter options
+59
-8
lines changed Original file line number Diff line number Diff line change
@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are
104 104
1. A string in decimal-dot notation, consisting of four decimal integers in
105 105
the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
106 106
integer represents an octet (byte) in the address. Leading zeroes are
107 -
tolerated only for values less than 8 (as there is no ambiguity
108 -
between the decimal and octal interpretations of such strings).
107 +
not tolerated to prevent confusion with octal notation.
109 108
2. An integer that fits into 32 bits.
110 109
3. An integer packed into a :class:`bytes` object of length 4 (most
111 110
significant octet first).
@@ -117,6 +116,22 @@ write code that handles both IP versions correctly. Address objects are
117 116
>>> ipaddress.IPv4Address(b'\xC0\xA8\x00\x01')
118 117
IPv4Address('192.168.0.1')
119 118 119 +
.. versionchanged:: 3.8
120 + 121 +
Leading zeros are tolerated, even in ambiguous cases that look like
122 +
octal notation.
123 + 124 +
.. versionchanged:: 3.10
125 + 126 +
Leading zeros are no longer tolerated and are treated as an error.
127 +
IPv4 address strings are now parsed as strict as glibc
128 +
:func:`~socket.inet_pton`.
129 + 130 +
.. versionchanged:: 3.9.5
131 + 132 +
The above change was also included in Python 3.9 starting with
133 +
version 3.9.5.
134 + 120 135
.. attribute:: version
121 136 122 137
The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.
@@ -149,8 +149,8 @@ library/ipaddress,,:db8,>>> ipaddress.IPv6Address('2001:db8::1000')
149 149
library/ipaddress,,::,>>> ipaddress.IPv6Address('2001:db8::1000')
150 150
library/ipaddress,,:db8,'2001:db8::1000'
151 151
library/ipaddress,,::,'2001:db8::1000'
152 -
library/ipaddress,231,:db8,">>> f'{ipaddress.IPv6Address(""2001:db8::1000""):s}'"
153 -
library/ipaddress,231,::,">>> f'{ipaddress.IPv6Address(""2001:db8::1000""):s}'"
152 +
library/ipaddress,,:db8,">>> f'{ipaddress.IPv6Address(""2001:db8::1000""):s}'"
153 +
library/ipaddress,,::,">>> f'{ipaddress.IPv6Address(""2001:db8::1000""):s}'"
154 154
library/ipaddress,,::,IPv6Address('ff02::5678%1')
155 155
library/ipaddress,,::,fe80::1234
156 156
library/ipaddress,,:db8,">>> ipaddress.ip_address(""2001:db8::1"").reverse_pointer"
@@ -537,6 +537,10 @@ Scoped IPv6 addresses can be parsed using :class:`ipaddress.IPv6Address`.
537 537
If present, scope zone ID is available through the :attr:`~ipaddress.IPv6Address.scope_id` attribute.
538 538
(Contributed by Oleksandr Pavliuk in :issue:`34788`.)
539 539 540 +
Starting with Python 3.9.5 the :mod:`ipaddress` module no longer
541 +
accepts any leading zeros in IPv4 address strings.
542 +
(Contributed by Christian Heimes in :issue:`36384`).
543 + 540 544
math
541 545
----
542 546
@@ -1114,6 +1118,14 @@ Changes in the Python API
1114 1118
compatible classes that don't inherit from those mentioned types.
1115 1119
(Contributed by Roger Aiudi in :issue:`34775`).
1116 1120 1121 +
* Starting with Python 3.9.5 the :mod:`ipaddress` module no longer
1122 +
accepts any leading zeros in IPv4 address strings. Leading zeros are
1123 +
ambiguous and interpreted as octal notation by some libraries. For example
1124 +
the legacy function :func:`socket.inet_aton` treats leading zeros as octal
1125 +
notatation. glibc implementation of modern :func:`~socket.inet_pton` does
1126 +
not accept any leading zeros.
1127 +
(Contributed by Christian Heimes in :issue:`36384`).
1128 + 1117 1129
* :func:`codecs.lookup` now normalizes the encoding name the same way as
1118 1130
:func:`encodings.normalize_encoding`, except that :func:`codecs.lookup` also
1119 1131
converts the name to lower case. For example, ``"latex+latin1"`` encoding
@@ -1223,6 +1223,11 @@ def _parse_octet(cls, octet_str):
1223 1223
if len(octet_str) > 3:
1224 1224
msg = "At most 3 characters permitted in %r"
1225 1225
raise ValueError(msg % octet_str)
1226 +
# Handle leading zeros as strict as glibc's inet_pton()
1227 +
# See security bug bpo-36384
1228 +
if octet_str != '0' and octet_str[0] == '0':
1229 +
msg = "Leading zeros are not permitted in %r"
1230 +
raise ValueError(msg % octet_str)
1226 1231
# Convert to integer (we know digits are legal)
1227 1232
octet_int = int(octet_str, 10)
1228 1233
if octet_int > 255:
@@ -96,10 +96,23 @@ def pickle_test(self, addr):
96 96
class CommonTestMixin_v4(CommonTestMixin):
97 97 98 98
def test_leading_zeros(self):
99 -
self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
100 -
self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
101 -
self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
102 -
self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
99 +
# bpo-36384: no leading zeros to avoid ambiguity with octal notation
100 +
msg = "Leading zeros are not permitted in '\d+'"
101 +
addresses = [
102 +
"000.000.000.000",
103 +
"192.168.000.001",
104 +
"016.016.016.016",
105 +
"192.168.000.001",
106 +
"001.000.008.016",
107 +
"01.2.3.40",
108 +
"1.02.3.40",
109 +
"1.2.03.40",
110 +
"1.2.3.040",
111 +
]
112 +
for address in addresses:
113 +
with self.subTest(address=address):
114 +
with self.assertAddressError(msg):
115 +
self.factory(address)
103 116 104 117
def test_int(self):
105 118
self.assertInstancesEqual(0, "0.0.0.0")
@@ -0,0 +1,6 @@
1 +
:mod:`ipaddress` module no longer accepts any leading zeros in IPv4 address
2 +
strings. Leading zeros are ambiguous and interpreted as octal notation by
3 +
some libraries. For example the legacy function :func:`socket.inet_aton`
4 +
treats leading zeros as octal notatation. glibc implementation of modern
5 +
:func:`~socket.inet_pton` does not accept any leading zeros. For a while
6 +
the :mod:`ipaddress` module used to accept ambiguous leading zeros.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4