InetAddress API extension proposal

Alan Bateman Alan.Bateman at oracle.com
Wed Mar 27 23:23:16 UTC 2024



On 27/03/2024 17:05, Sergey Chernyshev wrote:
>
> In the discussion of .ofLiteral() it was not concluded that 
> .ofPosixLiteral() would be insecure or undesirable. From the 'security 
> issues' point of view, it is a new method, it won't change the 
> behavior of old apps. If any code (a csrf filter) written in Java 
> recognized (knowing what it does) additional literal address formats, 
> it would only be an improvement (in detection). The good reason is 
> bringing compatibility with standard tools relying on inet_addr() into 
> Java, that would actually help overcoming the confusion between the 
> standards. A real world example could be a Java program parsing HOSTS 
> file (it allows hexadecimal address segments).
>
Again, please start a new discussion on net-dev. It would be helpful to 
include a summary on the behavior between different operating system as 
it's that difference, and the parsing of ambiguous corner cases, where 
the security researchers will focus on.

-Alan


More information about the core-libs-dev mailing list