Mva nje Ulwazi malunga nokuba semngciphekweni lwakhutshwa ezifumaneka kumathala eencwadi asemgangathweni eelwimi Umhlwa uhambe, ezizi inxulumene nokuphathwa gwenxa kweedilesi ze-IP ngamanani octal kwimisebenzi yohlalutyo lweedilesi.
Kukhankanyiwe ukuba eObu buthathaka buvumela ukuba uphephe ukuqinisekiswa kweedilesi ezifanelekileyo kunyen izicelo, umzekelo, ukulungiselela ukufikelela kwiidilesi zomnatha we-loopback okanye ii-intranet subnets xa kusenziwa uhlaselo lwesicelo secala lokuhlaselwa.
Ukuba semngciphekweni kwezi lwimi zimbini Imitya yedilesi ye-IP iyafezekiswa kwinkcazo esekwe kwi-zero, kuba ukhona ithiyori kufuneka itolikwe njengamanani octal, kodwa Ingxaki ebangela le glitch kukuba iilayibrari ezininzi ziyakuhoya oku kwaye zilahle nje zero, yiyo loo nto baphela bephatha ixabiso njengenani lokugqibela.
Umzekelo, ukuze uqonde ukuba iidilesi ze-IP zitolikwa njani kwezi bugs, inombolo engu-0177 kwi-octal ingu-127 kwishumi kwaye umhlaseli angacela isibonelelo esichaza ixabiso "0177.0.0.1", ekungathathwanga njengo-octal, ukubhalwa kwedesimali koku ngu "127.0.0.1".
Yiyo loo nto kwimeko yokusebenzisa elinye lamathala eencwadi anengxaki, isicelo asizukubhaqa ukuvela kwedilesi 0177.0.0.1 kwi-subnet 127.0.0.1, kodwa enyanisweni, xa uthumela isicelo, idilesi "0177.0.0.1" ingabizwa ngenxa yokuchazwa gwenxa, imisebenzi yenethiwekhi iya kuyenza le 127.0.0.1. Kwangokunjalo, ukufikelela kwiidilesi ze-intranet kunokukhohliswa kwaye kuqinisekiswe ngokukhankanya amaxabiso awahlukeneyo, aya kuthi avavanywe ngumhlaseli ukuze axhaphaze.
Kwicala le Rust, ingxaki ifunyenwe ixhomekeke kwithala leencwadi eliqhelekileyo "std :: net" kwaye esele ikhathalogu phantsi kwe- "CVE-2021-29922". Iyayichaza loo nto Umncedisi wedilesi ye-IP wedilesi yethala ulahla i-zero phambi kwamaxabiso yedilesi, kodwa kuphela ukuba akukho ngaphezu kwamanani amathathu achaziweyo, umzekelo, "0177.0.0.1" iyakutolikwa njengexabiso elingasasebenziyo kwaye iziphumo ezingachanekanga ziya kubuyiselwa ekuphenduleni.
Ukufakelwa komtya okungachanekanga kwe-octal ku-rust-lang's standard "net" library kuvumela abahlaseli abangaqinisekiswanga ukuba benze uhlaselo lwe-SSRF, i-RFI, kunye ne-LFI kwiinkqubo ezininzi ezixhomekeke kurust-lang std :: net. Ii-octet zedilesi ye-IP zishiyiwe zihluthwe endaweni yokuba kuvavanywe njengeedilesi ze-IP ezifanelekileyo.
Kukwakhankanyiwe ukuba izicelo ezisebenzisa i-std :: net :: IpAddr library xa kudweliswa iidilesi ezichaziweyo ngumsebenzisi banokuba semngciphekweni wokuhlaselwa yi-SSRF (isicelo secala kwicala leserver), RFI (ukubandakanywa kwefayile ekude) kunye I-LFI (ukubandakanywa kweefayile zasekhaya). Ngokufanayo, umhlaseli unokungena kwi-127.0.026.1, eyi-127.0.22
Umzekelo, umhlaseli othumela idilesi ye-IP kwisicelo sewebhu esisekwe kwi-std :: net :: IpAddr inokubangela i-SSRF ngokufaka idatha yegalelo le-octal; Umhlaseli angathumela iidilesi ze-IP ezisebenzisekayo ukuba i-octet inamanani ama-3, ubuncinci be-octet 08 obusebenzisekayo obukhokelela ekungavunyelweni kwenkonzo kunye ne-octet 099 ephezulu yokuxhaphaza ekhokelela ekwehlisweni kwenkonzo.
Ukuba ufuna ukwazi ngakumbi malunga noku kubeka esichengeni eRust, ungazijonga iinkcukacha Kule khonkco ilandelayo. Kukwakhankanyiwe ukuba umngcipheko walungiswa kwisebe leRust 1.53.0.
Ngokukhawuleza ndi kwingxaki echaphazelayo ukuya, kukhankanyiwe ukuba oku kuxhomekeke kwithala leencwadi eliqhelekileyo «net» kwaye sele idwelisiwe phantsi kweCVE-2021-29923. Kwinkcazo kukhankanyiwe oko ivumela abahlaseli abangaqinisekiswanga ukuba benze uhlaselo lwe-SSRF, i-RFI kunye ne-LFI ukungagungqi kwiinkqubo ezininzi ezixhomekeke kumnatha owakhelwe-ngaphakathi kwi-net. Inye i-octet ye-CIDR ye-IP ihluthwe endaweni yokuyivavanya njengee-octet ezisemthethweni ze-IP.
Umzekelo, umhlaseli angadlula kwixabiso 00000177.0.0.1, ethi, xa ikhangelwe kwi-net, umsebenzi weParseCIDR, uchithwe njengo-177.0.0.1/24, hayi u-127.0.0.1/24. Ingxaki ikwazibonakalisa kwiqonga leKubernetes. Ukuba semngciphekweni kwamiselwa kuhlobo lwe-Go 1.16.3 kunye nohlobo lwe-beta 1.17.
Unokufunda ngakumbi ngayo malunga nobuthathaka Kule khonkco ilandelayo.