InetAddress API extension proposal
Sergey Chernyshev
serge.chernyshev at bell-sw.com
Thu Mar 28 19:01:09 UTC 2024
Hi Alan,
Thank you for your comments! I will post this to net-nev too as you
suggested.
Am 28.03.24 um 00:23 schrieb Alan Bateman:
>
>
> On 27/03/2024 17:05, Sergey Chernyshev wrote:
>>
>> In the discussion of .ofLiteral() it was not concluded that
>> .ofPosixLiteral() would be insecure or undesirable. From the
>> 'security issues' point of view, it is a new method, it won't change
>> the behavior of old apps. If any code (a csrf filter) written in Java
>> recognized (knowing what it does) additional literal address formats,
>> it would only be an improvement (in detection). The good reason is
>> bringing compatibility with standard tools relying on inet_addr()
>> into Java, that would actually help overcoming the confusion between
>> the standards. A real world example could be a Java program parsing
>> HOSTS file (it allows hexadecimal address segments).
>>
> Again, please start a new discussion on net-dev. It would be helpful
> to include a summary on the behavior between different operating
> system as it's that difference, and the parsing of ambiguous corner
> cases, where the security researchers will focus on.
>
> -Alan
More information about the core-libs-dev
mailing list