Matt Robenolt added the comment:
> Why do you need octal addresses? What is your use case? :-p
I didn't, but an attacker leveraged this to bypass security. We had checks
against `127.0.0.1`, but this resolved to `177.0.0.1` incorrectly, bypassing
the check. We were using `socket.gethostbyn
Matt Robenolt added the comment:
Ah, I just confirmed broken behavior in macOS as well using `getaddrinfo()` in
C.
I guess I'd be ok with python ignoring this as well. Maybe worth a change to
documentation to note this?
--
___
Python tracker <
Matt Robenolt added the comment:
Is it worth investigating the different behavior then with `getaddrinfo`
between platforms? As far as I know, that's the only method that works with
both ipv6 and will tell you "here are all the IP addresses this res
Matt Robenolt added the comment:
And lastly, it seems that `socket.gethostbyname_ex` _does_ work correctly on
both platforms.
```
>>> socket.gethostbyname_ex('0177...0001')
('0177...0001', [], ['127.0.0.1'])
```
--
_
Matt Robenolt added the comment:
Sorry, to add a data point, in C, `gethostbyname` also does the correct thing
on macOS.
See:
```
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[]) {
int i;
struct hostent *lh = gethostbyname
New submission from Matt Robenolt:
This also affects socket.getaddrinfo on macOS only, but is fine on Linux. I've
not tested on Windows to see behavior there.
Given the IP address `0177...0001`, which is a valid octal format
representing `127.0.0.1`, we can see varying results
