[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Eryk Sun added the comment: Update from my previous comment in 2016: in Python 3.7+, the socket module's setipaddr() function calls Winsock inet_pton() instead of inet_addr(), and falls back on getaddrinfo(). Neither supports octal addresses. At least using octal fails instead of mistakenly

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

R. David Murray added the comment: koobs' results are also interesting, since they indicate that *something* changed on the python side that affected this for freebsd. -- ___ Python tracker

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

R. David Murray added the comment: There's also the fact that Eryk pointed out that there are different ways to implement this on Windows, so there might be something we want to "fix" there. It seems like we're not consistent in how we handle addresses in the various socket module functions.

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

STINNER Victor added the comment: > I didn't, but an attacker leveraged this to bypass security. Ah, that's a real use case. Can you please rephrase the issue title to make it more explicit? Because in this issue, it's not obvious to me if octal addressses must be accepted on all platforms,

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Matt Robenolt added the comment: > Why do you need octal addresses? What is your use case? :-p I didn't, but an attacker leveraged this to bypass security. We had checks against `127.0.0.1`, but this resolved to `177.0.0.1` incorrectly, bypassing the check. We were using

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

STINNER Victor added the comment: > However, if someone wants to investigate further and finds a fix, we will > evaluate it. IMHO the best fix is to document that the exact behaviour depends on the platform, and that only IPv4 decimal and IPv6 hexadecimal are portable. Corner cases like IPv4

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

STINNER Victor added the comment: I don't understand the point of the issue. Is it a documentation issue? Python doesn't parse anything: it's a thin wrapper on top of the standard C library. If you want to complain, report the issue to the maintainers of your C library ;-) -- nosy:

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Ronald Oussoren added the comment: For what it is worth: the relevant standard says that octal and hexadecimal addresses should be accepted (POSIX getaddrinfo refers to inet_addr for numeric IP addresses and that says that octal and hexadecimal numbers are valid in IP addresses), see:

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

koobs added the comment: @David The symptoms from FreeBSD look a little different: Only gethostbyname affected only on 2.7 and 3.3 on all freebsd versions (9, 10, 11). Python 3.2 was not tested (freebsd port was deleted), but likely affected as well Feels/Appears like a gethostbyname fix

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Eryk Sun added the comment: socket.gethostbyname calls the internal function setipaddr, which tries to avoid a name resolution by first calling either inet_pton or inet_addr. Otherwise it calls getaddrinfo. Windows --- setipaddr calls inet_addr, which supports octal [1]. ctypes example:

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Matt Robenolt added the comment: Ah, I just confirmed broken behavior in macOS as well using `getaddrinfo()` in C. I guess I'd be ok with python ignoring this as well. Maybe worth a change to documentation to note this? -- ___ Python tracker

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Xiang Zhang added the comment: A similar bug report can be seen at https://github.com/dotnet/corefx/issues/8362. There someone makes a conclusion that getaddrinfo (Python seems to use getaddrinfo to implement gethostbyname) doesn't work correctly with octal form. They finally ignore this

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Matt Robenolt added the comment: Is it worth investigating the different behavior then with `getaddrinfo` between platforms? As far as I know, that's the only method that works with both ipv6 and will tell you "here are all the IP addresses this resolves to". --

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

R. David Murray added the comment: Hmm. Since gethostbyname is a deprecated interface, perhaps there is nothing to do here. However, if someone wants to investigate further and finds a fix, we will evaluate it. -- ___ Python tracker

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Matt Robenolt added the comment: And lastly, it seems that `socket.gethostbyname_ex` _does_ work correctly on both platforms. ``` >>> socket.gethostbyname_ex('0177...0001') ('0177...0001', [], ['127.0.0.1']) ``` -- ___ Python

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Matt Robenolt added the comment: Sorry, to add a data point, in C, `gethostbyname` also does the correct thing on macOS. See: ``` #include #include #include #include #include #include #include int main(int argc, char *argv[]) { int i; struct hostent *lh =

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Xiang Zhang added the comment: On Linux, it seems it's not an accident. inet_addr(3) explicitly says it can handle octal or haxadecimal forms. -- nosy: +xiang.zhang ___ Python tracker

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

R. David Murray added the comment: To clarify: by platform OS issue, I mean that the octal-conversion-or-not is none of Python's doing, it is done by the C library call that gethostbyname is a thin wrapper around. -- ___ Python tracker

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

R. David Murray added the comment: This would appear to be a platform OS issue. Is it "broken" also for FreeBSD? (I put broken in quotes because interpreting ocatal isn't part of the posix speck for gethostbyname. It could even be an accident that it works on Linux. I'm not going to close

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

Changes by SilentGhost : -- components: +Macintosh nosy: +ned.deily, ronaldoussoren ___ Python tracker ___

[issue27612] socket.gethostbyname resolving octal IP addresses incorrectly

New submission from Matt Robenolt: This also affects socket.getaddrinfo on macOS only, but is fine on Linux. I've not tested on Windows to see behavior there. Given the IP address `0177...0001`, which is a valid octal format representing `127.0.0.1`, we can see varying results.