Hi Alan,
Thank you for your comments! I will post this to net-nev too as you
suggested.
Am 28.03.24 um 00:23 schrieb Alan Bateman:
On 27/03/2024 17:05, Sergey Chernyshev wrote:
In the discussion of .ofLiteral() it was not concluded that
.ofPosixLiteral() would be insecure or undesirable. From the
'security issues' point of view, it is a new method, it won't change
the behavior of old apps. If any code (a csrf filter) written in Java
recognized (knowing what it does) additional literal address formats,
it would only be an improvement (in detection). The good reason is
bringing compatibility with standard tools relying on inet_addr()
into Java, that would actually help overcoming the confusion between
the standards. A real world example could be a Java program parsing
HOSTS file (it allows hexadecimal address segments).
Again, please start a new discussion on net-dev. It would be helpful
to include a summary on the behavior between different operating
system as it's that difference, and the parsing of ambiguous corner
cases, where the security researchers will focus on.
-Alan
