Munguva pfupi yapfuura ruzivo rwekushomeka rwakaburitswa izvo zvakawanikwa mumaraibhurari akajairwa emitauro Ngura uende, zviri zvine chekuita nekusabatwa zvakanaka kwe IP kero ine octal manhamba mune kero yekuongorora mabasa.
Zvinotaurwa kuti eUku kunetsekana kunokutendera iwe kuti udzivise kuongororwa kweakakodzera kero uyen mafomu, semuenzaniso, kuronga kupinda kune loopback interface kero kana intranet subnets apo server-parutivi chikumbiro spoofing kurwiswa kunoitwa.
Kukanganisika mumitauro miviri iyi IP kero tambo dzinoziva mune yakasarudzika zero-based, sezvo uri mune dzidziso ivo vanofanirwa kududzirwa se octal nhamba, asi dambudziko riri kukonzeresa kupenya uku nderekuti maraibhurari mazhinji anofuratira izvi uye anongo rasa zero, saka ivo vanopedzisira vobata iyo kukosha senhamba yedesimali.
Semuenzaniso, kuti unzwisise kuti kero dze IP dzinodudzirwa sei mumabhugi aya, nhamba 0177 muna octal iri 127 mune desimali uye neanorwisa anogona kukumbira sosi inotsanangura kukosha "0177.0.0.1", iyo, sezvo isina kutorwa sa octal iyo decimal notation yeiyi "127.0.0.1".
Ndokusaka mune nyaya yekushandisa rimwe remaraibhurari ane matambudziko, iko kunyorera hakuzoone kuitika kwekero 0177.0.0.1 mu subnet 127.0.0.1, asi pachokwadi, pakutumira chikumbiro, kero "0177.0.0.1" inogona kudaidzwa iyo nekuda kwekusadudzira zvisirizvo, mabasa enetiweki anozoita izvi se127.0.0.1. Zvimwechetezvo, kuwana kero dzeIntranet kunogona kunyengedzwa uye kusimbiswa nekujekesa akasiyana maitiro, ayo anorwiswa anoongorora kuti zvioneke kushandiswa.
Padivi Ngura, dambudziko rakawanikwa riri pasi peraibhurari yakajairwa "std :: net" uye iyo yakatonyorwa kare pasi pe "CVE-2021-29922". Inotsanangura izvozvo raibhurari iyi IP kero muparadzi anorasa zero pamberi pemitengo yekero, asi chete kana pasina anodarika matatu manhamba akatsanangurwa, semuenzaniso, "0177.0.0.1" inozodudzirwa seisina kukosha kukosha uye mhedzisiro isiriyo inodzoserwa mukupindura.
Yisiriyo octal tambo yekuisa kusimbiswa mune ngura-lang standard "net" raibhurari inobvumidza isingazivikanwe kure varwisi kuti vaite indeterminate SSRF, RFI, uye LFI kurwisa pazvirongwa zvakawanda zvinoenderana neRust-lang std :: net. Maoctet eI IP kero akasara akabviswa panzvimbo yekuongororwa seanoshanda IP kero.
Izvo zvinotaurwa zvakare kuti zvinoshandiswa zvinoshandisa iyo std :: net :: IpAddr raibhurari kana uchigadzirisa makero akataurwa nemushandisi zvinogona kubatwa neSSRF (server-padivi chikumbiro spoofing), RFI (remote file inclusion) uye BIA (kuiswa kwemafaira emuno). Saizvozvo, anorwisa anogona kupinda 127.0.026.1, iri chaizvo 127.0.22
Semuenzaniso, anorwisa anotumira IP kero kune webhu kunyorera iyo yakavakirwa pa std :: net :: IpAddr inogona kukonzera SSRF nekupinda octal yekuisa data; Anorwisa anogona kutumira anonetsa IP kero kana octet iine manhamba matatu, iine octet yakaderera inoshandiswa 3 iyo inotungamira pakurambwa kwebasa uye nepamusoro octet 08 inotungamira pakurambwa kwebasa.
Kana iwe uchida kuziva zvakawanda nezve iyi njodzi muRust, unogona kutarisa iyo nhoroondo Mune inotevera chinongedzo. Izvo zvinotaurwa zvakare kuti kushomeka kwakagadziriswa mubazi reRust 1.53.0.
Panongo kune dambudziko rinobata kuenda, zvinotaurwa kuti izvi zvinoenderana neyakajairwa raibhurari «net» uye yakatove yakanyorwa pasi peCVE-2021-29923. Mutsananguro zvinotaurwa izvo inobvumidza vasina kuvimbwa varwi vekunze kuti vaite SSRF, RFI uye LFI kurwisa indeterminate mumapurogiramu mazhinji anoenderana negolang yakavakirwa-mukati mambure. Mumwe nemumwe maCIDR IP octet anotorerwa panzvimbo yekuaongorora seanoshanda IP octet.
Semuenzaniso, anorwisa anogona kupfuudza iwo kukosha 00000177.0.0.1, iyo, kana ichinge yatariswa mumambure.ParseCIDR basa, ichatorwa se177.0.0.1/24, kwete 127.0.0.1/24. Dambudziko rinozviratidza pachikuva cheKubernetes. Kushushikana kwakagadziriswa muGo vhezheni 1.16.3 uye beta vhezheni 1.17.
Unogona kudzidza zvakawanda nezvazvo nezve dambudziko iri Mune inotevera chinongedzo.