Check for empty strings and zero bytes in is_valid_ip.

Closes #893.

diff --git a/tornado/netutil.py b/tornado/netutil.py
index 3703718043d82e05b4ec4297f50daac79f31dcd3..9dc8506ebf06a45194e471500992e7e513c3ffb4 100644 (file)
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -159,6 +159,10 @@ def is_valid_ip(ip):
 
     Supports IPv4 and IPv6.
     """
+    if not ip or '\x00' in ip:
+        # getaddrinfo resolves empty strings to localhost, and truncates
+        # on zero bytes.
+        return False
     try:
         res = socket.getaddrinfo(ip, 0, socket.AF_UNSPEC,
                                  socket.SOCK_STREAM,

diff --git a/tornado/test/netutil_test.py b/tornado/test/netutil_test.py
index cf587bcbd85f299cd3df4c2b34039ea79acdcdfe..c47e58fa34171af4913d25a3eb10c9fc2c769886 100644 (file)
--- a/tornado/test/netutil_test.py
+++ b/tornado/test/netutil_test.py
@@ -82,3 +82,7 @@ class IsValidIPTest(unittest.TestCase):
         self.assertTrue(not is_valid_ip('localhost'))
         self.assertTrue(not is_valid_ip('4.4.4.4<'))
         self.assertTrue(not is_valid_ip(' 127.0.0.1'))
+        self.assertTrue(not is_valid_ip(''))
+        self.assertTrue(not is_valid_ip(' '))
+        self.assertTrue(not is_valid_ip('\n'))
+        self.assertTrue(not is_valid_ip('\x00'))