Opened 9 years ago

Closed 8 years ago

#26578 closed Bug (fixed)

validate_ipv4_address (and probably other validators) accept non-ASCII digits

Reported by: Martin Dickopp Owned by: Iacopo Spalletti
Component: Core (Other) Version: 1.9
Severity: Normal Keywords:
Cc: github@…, greyzmeem@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

validate_ipv4_address incorrectly accepts values that contain non-ASCII digits, e.g. 127.0.0.൧ (where the last character is U+0D67) in Python 3. This appears to be caused by the use of \d in the regular expression, which matches not only ASCII digits [0-9], but any Unicode digit.

Other validators that use \d may be affected as well.

Change History (8)

comment:1 by Claude Paroz, 9 years ago

Component: UncategorizedCore (Other)
Triage Stage: UnreviewedAccepted

See also #22378.

comment:2 by Iacopo Spalletti, 9 years ago

Cc: github@… added
Owner: changed from nobody to Iacopo Spalletti
Status: newassigned

I'm willing to work on this. Following what has been done in #22378 fix is replacing \d with [0-9]+ in relevant validators

comment:3 by Emett Speer, 9 years ago

I would suggest something a little more extensive for validating IP addresses. This will get almost all invalid IP addresses. Though it does still have problems with an IP address like "192.168.00.10".

"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"

comment:4 by Tim Graham, 9 years ago

Well, actually we're trying to simplify the regular expressions we use at least in some other places (e.g. #26423). Complex regular expressions are difficult to maintain and have resulted in recursive backtracking security issues.

in reply to:  4 comment:5 by Emett Speer, 9 years ago

Replying to timgraham:

Well, actually we're trying to simplify the regular expressions we use at least in some other places (e.g. #26423). Complex regular expressions are difficult to maintain and have resulted in recursive backtracking security issues.

If having a more complex but more accurate regex validation could cause a security issue then its not worth it.

comment:6 by Andrey Maslov, 9 years ago

Cc: greyzmeem@… added

comment:7 by Tim Graham, 8 years ago

Has patch: set
Patch needs improvement: set

The PR could use a few more tests.

comment:8 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 21dd7923:

Fixed #26578 -- Prohibited non-ASCII digits in validate_ipv4_address.

Note: See TracTickets for help on using tickets.
Back to Top