Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.12] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) #118177

Merged
merged 2 commits into from
Apr 24, 2024

Conversation

encukou
Copy link
Member

@encukou encukou commented Apr 23, 2024

This backports a security fix and the associated documentation:

jstasiak and others added 2 commits April 23, 2024 13:52
…ation (pythonGH-113186)

* pythonGH-65056: Improve the IP address' is_global/is_private documentation

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

Co-authored-by: Petr Viktorin <encukou@gmail.com>
…ythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

I left 100.64.0.0/10 alone, for now, as it's been made special in [1]
and I'm not sure if we want to undo that as I don't quite understand the
motivation behind it.

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

(cherry picked from commit 40d75c2)
@encukou encukou merged commit f86b17a into python:3.12 Apr 24, 2024
32 checks passed
@encukou encukou deleted the backport-40d75c2-3.12 branch April 24, 2024 12:29
@encukou encukou added the needs backport to 3.11 only security fixes label Apr 24, 2024
@miss-islington-app
Copy link

Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Sorry, @encukou, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker f86b17ac511e68192ba71f27e752321a3252cee3 3.11

encukou added a commit to encukou/cpython that referenced this pull request Apr 24, 2024
…s ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
@bedevere-app
Copy link

bedevere-app bot commented Apr 24, 2024

GH-118227 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 24, 2024
encukou added a commit to encukou/cpython that referenced this pull request Apr 24, 2024
…s ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
@bedevere-app
Copy link

bedevere-app bot commented Apr 24, 2024

GH-118229 is a backport of this pull request to the 3.10 branch.

encukou added a commit to encukou/cpython that referenced this pull request May 1, 2024
…s ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
@bedevere-app
Copy link

bedevere-app bot commented May 1, 2024

GH-118472 is a backport of this pull request to the 3.9 branch.

encukou added a commit to encukou/cpython that referenced this pull request May 1, 2024
…s ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
@bedevere-app
Copy link

bedevere-app bot commented May 1, 2024

GH-118479 is a backport of this pull request to the 3.8 branch.

ambv pushed a commit that referenced this pull request May 7, 2024
…ges (GH-113179) (GH-113186) (GH-118177) (GH-118229)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] #61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
ambv pushed a commit that referenced this pull request May 7, 2024
…es (GH-113179) (GH-113186) (GH-118177) (GH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] #61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
ambv pushed a commit that referenced this pull request May 7, 2024
…es (GH-113179) (GH-113186) (GH-118177) (GH-118479)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] #61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Jul 3, 2024
…113179) (pythonGH-113186) (pythonGH-118177)

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

pythongh-113171: pythongh-65056: Fix "private" (non-global) IP address ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

Add IPv6 addresses to suspignore.csv

That's a lot of semicolons!

(cherry picked from commit e366724)

Add notable changes
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Jul 4, 2024
…113179) (pythonGH-113186) (pythonGH-118177)

* Fix "private" (non-global) IP address ranges (pythonGH-113179) (pythonGH-113186)
(pythonGH-118177)

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

pythongh-113171: pythongh-65056: Fix "private" (non-global) IP address ranges
(pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

Add IPv6 addresses to suspignore.csv

That's a lot of semicolons!

(cherry picked from commit e366724)
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Jul 8, 2024
…113179) (pythonGH-113186) (pythonGH-118177)

* Fix "private" (non-global) IP address ranges (pythonGH-113179) (pythonGH-113186)
(pythonGH-118177)

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

pythongh-113171: pythongh-65056: Fix "private" (non-global) IP address ranges
(pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

Add IPv6 addresses to suspignore.csv

That's a lot of semicolons!

(cherry picked from commit e366724)
rickprice pushed a commit to ActiveState/cpython that referenced this pull request Jul 12, 2024
…113179) (pythonGH-113186) (pythonGH-118177)

* Fix "private" (non-global) IP address ranges (pythonGH-113179) (pythonGH-113186)
(pythonGH-118177)

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

pythongh-113171: pythongh-65056: Fix "private" (non-global) IP address ranges
(pythonGH-113179) (pythonGH-113186) (pythonGH-118177)

* pythonGH-113171: Fix "private" (non-global) IP address ranges (pythonGH-113179)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

* pythonGH-65056: Improve the IP address' is_global/is_private documentation (pythonGH-113186)

It wasn't clear what the semantics of is_global/is_private are and, when
one gets to the bottom of it, it's not quite so simple (hence the
exceptions listed).

(cherry picked from commit 2a4cbf1)
(cherry picked from commit 40d75c2)

---------

(cherry picked from commit f86b17a)

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
(cherry picked from commit 05a1467)

Add IPv6 addresses to suspignore.csv

That's a lot of semicolons!

(cherry picked from commit e366724)
frenzymadness pushed a commit to frenzymadness/cpython that referenced this pull request Aug 13, 2024
… address ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177) (pythonGH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
frenzymadness pushed a commit to fedora-python/cpython that referenced this pull request Aug 15, 2024
… address ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177) (pythonGH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Aug 15, 2024
… address ranges (pythonGH-113179) (pythonGH-113186) (pythonGH-118177) (pythonGH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] python#61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants