[issue36384] ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal
Steve Dower
report at bugs.python.org
Sat Apr 3 12:41:45 EDT 2021
Steve Dower <steve.dower at python.org> added the comment:
(Copied from my comment on the PR, following the one where I said this was ready to go.)
Withdrawing the readiness - @ambv and I would prefer to see this behind a flag (probably "strict" parsing), on by default for 3.10, and maybe on by default for 3.9/earlier.
The main reasoning being that this isn't our vulnerability, but an inconsistency with other vulnerable libraries. The current fix is the best it can be, but it doesn't prevent the vulnerability, it just causes Python to break first. So it ought to be relatively easy to retain the flexible (though admittedly non-sensical) behaviour for those who currently rely on it.
----------
nosy: +steve.dower
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36384>
_______________________________________
More information about the Python-bugs-list
mailing list