diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2019-11-26 12:28:44 +0200 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2019-11-26 13:33:46 +0200 |
commit | 95911d9e550ddee6ce8ac4feb99ac15a43c15a8d (patch) | |
tree | 4d12381089b8eee225b522b4a96ae1402dbc3c16 /src/saml2/validate.py | |
parent | 9bc9e57521f702a9a6b17020ede508a067e43cd5 (diff) | |
download | pysaml2-95911d9e550ddee6ce8ac4feb99ac15a43c15a8d.tar.gz |
Extend checks for IPv6 addresses
- Make sure enclosing brackets match.
- Use the built-in classes/checks for the IPv6/IPv4 address format.
- Extend tests to bad cases
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Diffstat (limited to 'src/saml2/validate.py')
-rw-r--r-- | src/saml2/validate.py | 56 |
1 files changed, 16 insertions, 40 deletions
diff --git a/src/saml2/validate.py b/src/saml2/validate.py index c6caf47d..26de5472 100644 --- a/src/saml2/validate.py +++ b/src/saml2/validate.py @@ -4,6 +4,9 @@ import re import struct import base64 import time +from ipaddress import AddressValueError +from ipaddress import IPv4Address +from ipaddress import IPv6Address from saml2 import time_util @@ -112,57 +115,30 @@ def validate_before(not_before, slack): def valid_address(address): + """Validate IPv4/IPv6 addresses.""" if not (valid_ipv4(address) or valid_ipv6(address)): raise NotValid("address") return True def valid_ipv4(address): - parts = address.split(".") - if len(parts) != 4: + """Validate IPv4 addresses.""" + try: + IPv4Address(address) + except AddressValueError: return False - for item in parts: - try: - if not 0 <= int(item) <= 255: - raise NotValid("ipv4") - except ValueError: - return False return True -# -IPV6_PATTERN = re.compile(r""" - ^ - \s* # Leading whitespace - \[? # See https://tools.ietf.org/html/rfc4038#section-5.1 - (?!.*::.*::) # Only a single wildcard allowed - (?:(?!:)|:(?=:)) # Colon iff it would be part of a wildcard - (?: # Repeat 6 times: - [0-9a-f]{0,4} # A group of at most four hexadecimal digits - (?:(?<=::)|(?<!::):) # Colon unless preceeded by wildcard - ){6} # - (?: # Either - [0-9a-f]{0,4} # Another group - (?:(?<=::)|(?<!::):) # Colon unless preceeded by wildcard - [0-9a-f]{0,4} # Last group - (?: (?<=::) # Colon iff preceeded by exacly one colon - | (?<!:) # - | (?<=:) (?<!::) : # - ) # OR - | # A v4 address with NO leading zeros - (?:25[0-4]|2[0-4]\d|1\d\d|[1-9]?\d) - (?: \. - (?:25[0-4]|2[0-4]\d|1\d\d|[1-9]?\d) - ){3} - ) - \]? # See https://tools.ietf.org/html/rfc4038#section-5.1 - \s* # Trailing whitespace - $ -""", re.VERBOSE | re.IGNORECASE | re.DOTALL) - def valid_ipv6(address): - """Validates IPv6 addresses. """ - return IPV6_PATTERN.match(address) is not None + """Validate IPv6 addresses.""" + is_enclosed_in_brackets = address.startswith("[") and address.endswith("]") + address_raw = address[1:-1] if is_enclosed_in_brackets else address + try: + IPv6Address(address_raw) + except AddressValueError: + return False + return True def valid_boolean(val): |