Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/WPalant/statuses/114389902028403900">Wladimir Palant (wpalant@infosec.exchange)'s status on Thursday, 24-Apr-2025 08:36:29 JST</a><a href="https://infosec.exchange/@WPalant" title="wpalant@infosec.exchange"><img src="https://gnusocial.jp/avatar/164735-48-20260106114703.webp" width="48" height="48" alt="Wladimir Palant" style="position: absolute; left: 0; top: 0;">Wladimir Palant</a><div><a href="https://infosec.exchange/@ryanc/114388913976560650" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://infosec.exchange/@ryanc">@ryanc</a> I trust it that you personally considered everything with your own IP parsing library but really: this is bad general advise. The trouble starts when your library processes that “cursed inet_aton nonsense” and passes it on to something that actually uses inet_aton or similar logic. And then your security checks are no longer valid because what you considered a DNS-resolvable host name is treated as an IP address further along the line, or what you considered decimal numbers is treated as octal. I’ve seen vulnerabilities due to such parser mismatches and avoiding them is very tricky.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4941083#notice-9683722">In conversation</a><time datetime="2025-04-24T08:36:29+09:00" title="Thursday, 24-Apr-2025 08:36:29 JST">about 10 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/9683722" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/9683722">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Wladimir Palant (wpalant@infosec.exchange)'s status on Thursday, 24-Apr-2025 08:36:29 JSTWladimir Palant
in reply to
- Ryan Castellucci (they/them) :nonbinary_flag:
@ryanc I trust it that you personally considered everything with your own IP parsing library but really: this is bad general advise. The trouble starts when your library processes that “cursed inet_aton nonsense” and passes it on to something that actually uses inet_aton or similar logic. And then your security checks are no longer valid because what you considered a DNS-resolvable host name is treated as an IP address further along the line, or what you considered decimal numbers is treated as octal. I’ve seen vulnerabilities due to such parser mismatches and avoiding them is very tricky.
In conversationabout 10 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice