[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-core-libs-dev
Subject: Re: InetAddress API extension proposal
From: Sergey Chernyshev <serge.chernyshev () bell-sw ! com>
Date: 2024-03-28 19:01:09
Message-ID: 6b15929e-1861-40b5-ac38-ac890d7bc3b6 () bell-sw ! com
[Download RAW message or body]
Hi Alan,
Thank you for your comments! I will post this to net-nev too as you
suggested.
Am 28.03.24 um 00:23 schrieb Alan Bateman:
>
>
> On 27/03/2024 17:05, Sergey Chernyshev wrote:
>>
>> In the discussion of .ofLiteral() it was not concluded that
>> .ofPosixLiteral() would be insecure or undesirable. From the
>> 'security issues' point of view, it is a new method, it won't change
>> the behavior of old apps. If any code (a csrf filter) written in Java
>> recognized (knowing what it does) additional literal address formats,
>> it would only be an improvement (in detection). The good reason is
>> bringing compatibility with standard tools relying on inet_addr()
>> into Java, that would actually help overcoming the confusion between
>> the standards. A real world example could be a Java program parsing
>> HOSTS file (it allows hexadecimal address segments).
>>
> Again, please start a new discussion on net-dev. It would be helpful
> to include a summary on the behavior between different operating
> system as it's that difference, and the parsing of ambiguous corner
> cases, where the security researchers will focus on.
>
> -Alan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic