Check for empty strings and zero bytes in is_valid_ip.

Closes tornadoweb#893.
shafiahmed · Aug 25, 2013 · f4ad3b7 · f4ad3b7
1 parent 8e0e4e1
commit f4ad3b7
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/tornado/netutil.py b/tornado/netutil.py
@@ -159,6 +159,10 @@ def is_valid_ip(ip):
 
     Supports IPv4 and IPv6.
     """
+    if not ip or '\x00' in ip:
+        # getaddrinfo resolves empty strings to localhost, and truncates
+        # on zero bytes.
+        return False
     try:
         res = socket.getaddrinfo(ip, 0, socket.AF_UNSPEC,
                                  socket.SOCK_STREAM,

diff --git a/tornado/test/netutil_test.py b/tornado/test/netutil_test.py
@@ -82,3 +82,7 @@ def test_is_valid_ip(self):
         self.assertTrue(not is_valid_ip('localhost'))
         self.assertTrue(not is_valid_ip('4.4.4.4<'))
         self.assertTrue(not is_valid_ip(' 127.0.0.1'))
+        self.assertTrue(not is_valid_ip(''))
+        self.assertTrue(not is_valid_ip(' '))
+        self.assertTrue(not is_valid_ip('\n'))
+        self.assertTrue(not is_valid_ip('\x00'))