Security Issues in Perl IP Address Distros

[FiveNinjas]

Hmmm, I think the premise of the blog post is incorrect.

It is positing that the correct behaviour is to interpret 010 as octal and so is the value 8.

This is not correct. The octal behaviour comes from the original BSD inet_aton function which explicitly defines and allows Octal (and hex) notation in IPv4 dotted quad notation. https://man7.org/linux/man-pages/man3/inet_aton.3.html

However, the RFC, while recognising what inet_aton did (Section 2.1.1), never allowed this and recommends against (see Section 3) https://tools.ietf.org/html/draft-main-ipaddr-text-rep-02

3.1 IPv4 Dotted Octet Format A 32-bit IPv4 address is divided into four octets. Each octet is represented numerically in decimal, using the minimum possible number of digits (leading zeroes are not used, except in the case of 0 itself).

I would argue that the Perl functions noted treating 010 as 10 (and not 8) are arguably correct.

But of course, now I have to go audit our use of them.

The simple thing to do, anywhere we permit customers to enter IP addresses, is to block use of leading zeros.

[autarch]

But it looks like things that use the system libc, like ping, _are_ accepting this. So there's clearly a case where your Perl code could treat it one way, your system another, and that skew could lead to bugs, including security bugs.

That all said, I totally agree that the best solution is to simply not accept a leading 0 in an IPv4 octet.

[fanf2]

That isn’t an RFC, it is an ancient expired IETF draft.

The most relevant RFC is https://tools.ietf.org/html/rfc6943#section-3.1.1

More in my previous comment at https://news.ycombinator.com/item?id=26621154