[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-core-libs-dev
Subject:    Re: InetAddress API extension proposal
From:       Sergey Chernyshev <serge.chernyshev () bell-sw ! com>
Date:       2024-03-28 19:01:09
Message-ID: 6b15929e-1861-40b5-ac38-ac890d7bc3b6 () bell-sw ! com
[Download RAW message or body]

Hi Alan,

Thank you for your comments! I will post this to net-nev too as you 
suggested.


Am 28.03.24 um 00:23 schrieb Alan Bateman:
>
>
> On 27/03/2024 17:05, Sergey Chernyshev wrote:
>>
>> In the discussion of .ofLiteral() it was not concluded that 
>> .ofPosixLiteral() would be insecure or undesirable. From the 
>> 'security issues' point of view, it is a new method, it won't change 
>> the behavior of old apps. If any code (a csrf filter) written in Java 
>> recognized (knowing what it does) additional literal address formats, 
>> it would only be an improvement (in detection). The good reason is 
>> bringing compatibility with standard tools relying on inet_addr() 
>> into Java, that would actually help overcoming the confusion between 
>> the standards. A real world example could be a Java program parsing 
>> HOSTS file (it allows hexadecimal address segments).
>>
> Again, please start a new discussion on net-dev. It would be helpful 
> to include a summary on the behavior between different operating 
> system as it's that difference, and the parsing of ambiguous corner 
> cases, where the security researchers will focus on.
>
> -Alan
[prev in list] [next in list] [prev in thread] [next in thread]