bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes parsing even more strict. Like socket.inet_pton() any leading zero is now treated as invalid input. Signed-off-by: Christian Heimes <christian@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>

commit: 60ce8f0be6354ad565393ab449d8de5d713f35bc [log] [tgz]
author: Christian Heimes <christian@python.org> Sun May 02 14:00:35 2021 +0200
committer: GitHub <noreply@github.com> Sun May 02 14:00:35 2021 +0200
tree: 131beaabf8c731503be540fdd09e66f7f2000a41
parent: 73766b0341674f3920f4ea86a6f8288b801960f9 [diff] [blame]
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
index 160b16d..af7aedf 100644
--- a/Lib/ipaddress.py
+++ b/Lib/ipaddress.py

@@ -1223,6 +1223,11 @@ def _parse_octet(cls, octet_str):
         if len(octet_str) > 3:
             msg = "At most 3 characters permitted in %r"
             raise ValueError(msg % octet_str)
+        # Handle leading zeros as strict as glibc's inet_pton()
+        # See security bug bpo-36384
+        if octet_str != '0' and octet_str[0] == '0':
+            msg = "Leading zeros are not permitted in %r"
+            raise ValueError(msg % octet_str)
         # Convert to integer (we know digits are legal)
         octet_int = int(octet_str, 10)
         if octet_int > 255:
commit	60ce8f0be6354ad565393ab449d8de5d713f35bc	[log] [tgz]
author	Christian Heimes <christian@python.org>	Sun May 02 14:00:35 2021 +0200
committer	GitHub <noreply@github.com>	Sun May 02 14:00:35 2021 +0200
tree	131beaabf8c731503be540fdd09e66f7f2000a41
parent	73766b0341674f3920f4ea86a6f8288b801960f9 [diff] [blame]