Conversation

Notices

1. Embed this notice
   Yellow Flag (wpalant@infosec.exchange)'s status on Thursday, 24-Apr-2025 04:25:13 JST Yellow Flag

   • Adam ♿
   • Raven667
   • Ryan Castellucci :nonbinary_flag:

   @raven667 @NewtonMark @voltagex @ryanc Yep, the IP address parsing is a minefield. Tons of different formats (octal, hexadecimal, IPv4-mapped IPv6 only to name a few), all supported. So many security issues due to this…

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 24-Apr-2025 04:25:11 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Adam ♿
     • Jess👾
     • Raven667

     @JessTheUnstill @WPalant @raven667 @NewtonMark @voltagex I trust myself more than I trust IP parsing libraries.

   • Embed this notice
     Jess👾 (jesstheunstill@infosec.exchange)'s status on Thursday, 24-Apr-2025 04:25:12 JST Jess👾

     in reply to

     • Adam ♿
     • Raven667
     • Ryan Castellucci :nonbinary_flag:

     That's another of those I just lean on some library code to sort out...
     @WPalant @raven667 @NewtonMark @voltagex @ryanc

   • Embed this notice
     Yellow Flag (wpalant@infosec.exchange)'s status on Thursday, 24-Apr-2025 08:36:29 JST Yellow Flag

     in reply to

     • Ryan Castellucci :nonbinary_flag:

     @ryanc I trust it that you personally considered everything with your own IP parsing library but really: this is bad general advise. The trouble starts when your library processes that “cursed inet_aton nonsense” and passes it on to something that actually uses inet_aton or similar logic. And then your security checks are no longer valid because what you considered a DNS-resolvable host name is treated as an IP address further along the line, or what you considered decimal numbers is treated as octal. I’ve seen vulnerabilities due to such parser mismatches and avoiding them is very tricky.