net/netip: IPv4 parser accepts leading zeroes #49365
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
In Go 1.17 we took a backwards compatibility hit to reject IPv4 addresses with leading zeroes in net.ParseIP (#30999) because they can be parsed differently (as octal) by the operating system, leading to potentially security sensistive mismatches.
netip.ParseAddr reintroduces the behavior we removed from net.ParseIP. That sounds wrong for all the reasons we decided to change net.ParseIP, and because it's now inconsistent with net.ParseIP.
The text was updated successfully, but these errors were encountered: