InetAddress API extension proposal
Alan Bateman
Alan.Bateman at oracle.com
Wed Mar 27 23:23:16 UTC 2024
On 27/03/2024 17:05, Sergey Chernyshev wrote:
>
> In the discussion of .ofLiteral() it was not concluded that
> .ofPosixLiteral() would be insecure or undesirable. From the 'security
> issues' point of view, it is a new method, it won't change the
> behavior of old apps. If any code (a csrf filter) written in Java
> recognized (knowing what it does) additional literal address formats,
> it would only be an improvement (in detection). The good reason is
> bringing compatibility with standard tools relying on inet_addr() into
> Java, that would actually help overcoming the confusion between the
> standards. A real world example could be a Java program parsing HOSTS
> file (it allows hexadecimal address segments).
>
Again, please start a new discussion on net-dev. It would be helpful to
include a summary on the behavior between different operating system as
it's that difference, and the parsing of ambiguous corner cases, where
the security researchers will focus on.
-Alan
More information about the core-libs-dev
mailing list