Add parsing of shorthand IPv4 addresses (compatible with inet_aton
)
#12
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implementation for Feature request #15734 from Ruby bug tracker.
Many applications (like browsers,
curl
, andping
) and even Ruby's ownNet::HTTP
library accepts shorthand IPv4 addresses like127.1
or2130706433
that both stands for127.0.0.1
.But IPAddr can't accept such addresses, and it is really confusing:
This pull request makes parsing IPv4 to match the behavior of most well-known applications despite that isn't a standardized extension, but there is an RFC draft: Textual Representation of IPv4 and IPv6 Addresses.
Moreover, that mismatch in behavior could cause security vulnerabilities in Ruby applications that use network, allow users to provide URLs to access (like “Upload picture from URL”), and have incorrectly configured URL filtering. A malicious user then could provide a link like
http://2130706433/private_file
which currently will not be recognized as loopback IP address butNet::HTTP.get
will happily query local host's web server for theprivate_file
. This called an SSRF attack. Actually, I created this pull request because our security auditors reported such vulnerability in one of our applications.NOTE: There is no security flaw in ipaddr itself! It is just possible to create it when you're developing your own application.
See also:
inet_aton
man page: https://linux.die.net/man/3/inet_aton