Skip to content

IPv6 address parsing doesn't limit buffer size #128840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sethmlarson opened this issue Jan 14, 2025 · 6 comments
Open

IPv6 address parsing doesn't limit buffer size #128840

sethmlarson opened this issue Jan 14, 2025 · 6 comments
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jan 14, 2025
edited by bedevere-app bot
Loading

Bug report

Bug description:

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length. Similar issue to django/django@ca2be77

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@sethmlarson sethmlarson added type-bug An unexpected behavior, bug, or error type-security A security issue labels Jan 14, 2025
@picnixz picnixz added the stdlib Python modules in the Lib dir label Jan 14, 2025
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Jan 14, 2025
@sethmlarson
pythonGH-128840: Limit the number of parts in IPv6 address parsing
115bec4
@sethmlarson sethmlarson mentioned this issue Jan 14, 2025
Merged
@serhiy-storchaka
Copy link
Member

I do not think this is a security issue.

gpshead added a commit that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead
gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)
47f1161 
GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------

Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
c2885f9 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
67fabcd 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
9984c3a 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
d575c30 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Open
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
bb72b92 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Open
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
ea823ab 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@miss-islington miss-islington mentioned this issue May 24, 2025
Open
gpshead added a commit that referenced this issue May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.14] gh-128840: Limit the number of parts in IPv6 address parsing (G…
576177d 
…H-128841) (#134610)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
gpshead added a commit that referenced this issue May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.13] gh-128840: Limit the number of parts in IPv6 address parsing (G…
2e30341 
…H-128841) (#134611)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Yhg1s pushed a commit that referenced this issue May 26, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.12] gh-128840: Limit the number of parts in IPv6 address parsing (G…
d4cf1fa 
…H-128841) (#134612)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
@frenzymadness
Copy link
Contributor

Are you sure the fix for the issue is backward-compatible? It seems to me that addresses like 1111:2222:3333:4444:5555:6666:255.255.255.255 are now rejected even they are valid as far as I know. Embedding of an IPv4 address into an IPv6 address is an established standard.

@frenzymadness
Copy link
Contributor

Python 3.13:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
>>> addr
IPv6Address('1111:2222:3333:4444:5555:6666:ffff:ffff')

Python 3.14 beta 2:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
Traceback (most recent call last):
  File "<python-input-7>", line 1, in <module>
    addr = ipaddress.IPv6Address(domain_literal)
  File "/usr/lib64/python3.14/ipaddress.py", line 1952, in __init__
    self._ip = self._ip_int_from_string(addr_str)
               ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib64/python3.14/ipaddress.py", line 1666, in _ip_int_from_string
    raise AddressValueError(msg)
ipaddress.AddressValueError: At most 39 characters expected in '1111:2222:3333'(17 chars elided)'55.255.255.255'

@hroncok
Copy link
Contributor

hroncok commented May 28, 2025
edited
Loading

I'd like to ensure this is resolved before it is released in 3.13.4 and 3.12.11 as a (potential) regression. cc @Yhg1s

serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue May 28, 2025
@serhiy-storchaka
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
9ae42bf 
…ddress
@bedevere-app bedevere-app bot mentioned this issue May 28, 2025
Merged
@serhiy-storchaka
Copy link
Member

Thank you for your report @frenzymadness. Indeed, this is a regression.

#134836 increases the limit and improves the error message, so now the whole valid IP address will be shown if the garbage was only added at one side.

gpshead pushed a commit that referenced this issue May 28, 2025
@serhiy-storchaka
gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (
d83576b 
…#134836)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 28, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
b3cac27 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 28, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
e32d762 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
This was referenced May 28, 2025
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 28, 2025
@serhiy-storchaka @miss-islington
pythongh-128840: Fix parsing long IPv6 addresses with embedded IPv4 a…
427311c 
…ddress (pythonGH-134836)

(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue May 28, 2025
Open
@gpshead
Copy link
Member

gpshead commented May 28, 2025

Good catch and thank you for the fixes!

gpshead pushed a commit that referenced this issue May 28, 2025
@miss-islington @serhiy-storchaka
[3.13] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
a0287bf 
…address (GH-134836) (#134846)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
gpshead pushed a commit that referenced this issue May 28, 2025
@miss-islington @serhiy-storchaka
[3.14] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 …
2440449 
…address (GH-134836) (#134845)

gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836)
(cherry picked from commit d83576b)

Co-authored-by: Serhiy Storchaka <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
release-blocker stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gpshead @hroncok @serhiy-storchaka @frenzymadness @picnixz @sethmlarson