Welcome to nginx!

From: envek@...
Date: 2019-03-28T17:50:38+00:00
Subject: [ruby-core:92037] [Ruby trunk Feature#15734] Parsing of shorthand IPv4 addresses compatible with inet_aton

Issue #15734 has been reported by Envek (Andrey Novikov).

----------------------------------------
Feature #15734: Parsing of shorthand IPv4 addresses compatible with inet_aton 
https://bugs.ruby-lang.org/issues/15734

* Author: Envek (Andrey Novikov)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Hi Ruby team!

I've created pull request to ipaddr gem: https://github.com/ruby/ipaddr/pull/12
I want it to be merged and included to the version of gem that bundled in Ruby itself.

---

Many applications (like browsers, `curl`, and `ping`) and even Ruby's own `Net::HTTP` library accepts shorthand IPv4 addresses like `127.1` or `2130706433` that both stands for `127.0.0.1`.

```
$ irb
irb(main):001:0> require 'net/http'
irb(main):002:0> Net::HTTP.get(URI.parse("http://127.1/")) # Success if you have web server running locally
=> "<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!</title>���"
```

But IPAddr can't accept such addresses, and it is really confusing:
```
irb(main):003:0> IPAddr.new("http://127.1/")
IPAddr::InvalidAddressError (invalid address: http://127.1/)
```

This pull request makes parsing IPv4 to match the behavior of most well-known applications despite that isn't a standardized extension, but there is an RFC draft: [Textual Representation of IPv4 and IPv6 Addresses](https://tools.ietf.org/html/draft-main-ipaddr-text-rep-00).

Moreover, that mismatch in behavior could cause security vulnerabilities in Ruby applications that use network, allow users to provide URLs to access (like ���Upload picture from URL���), and have incorrectly configured URL filtering. A malicious user then could provide a link like `http://2130706433/private_file` which currently will not be recognized as loopback IP address but `Net::HTTP.get` will happily query local host's web server for the `private_file`. This called an [SSRF attack](https://en.wikipedia.org/wiki/Server-side_request_forgery). Actually, I created this pull request because our security auditors reported such vulnerability in one of our applications.
**NOTE**: There is **no** security flaw in ipaddr itself! It is just possible to get when you're developing an application.

See also:
 - Discussion at Reddit: https://www.reddit.com/r/networking/comments/7cf0zp/documentation_of_the_behavior_of_shorthand_ipv4/
 - `inet_aton` man page: https://linux.die.net/man/3/inet_aton




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>