From f4ad3b778b31f88db1a5824429a5ac27a262799d Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Sat, 24 Aug 2013 22:06:00 -0400
Subject: [PATCH] Check for empty strings and zero bytes in is_valid_ip.

Closes #893.
---
 tornado/netutil.py           | 4 ++++
 tornado/test/netutil_test.py | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/tornado/netutil.py b/tornado/netutil.py
index 370371804..9dc8506eb 100644
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -159,6 +159,10 @@ def is_valid_ip(ip):
 
     Supports IPv4 and IPv6.
     """
+    if not ip or '\x00' in ip:
+        # getaddrinfo resolves empty strings to localhost, and truncates
+        # on zero bytes.
+        return False
     try:
         res = socket.getaddrinfo(ip, 0, socket.AF_UNSPEC,
                                  socket.SOCK_STREAM,
diff --git a/tornado/test/netutil_test.py b/tornado/test/netutil_test.py
index cf587bcbd..c47e58fa3 100644
--- a/tornado/test/netutil_test.py
+++ b/tornado/test/netutil_test.py
@@ -82,3 +82,7 @@ class IsValidIPTest(unittest.TestCase):
         self.assertTrue(not is_valid_ip('localhost'))
         self.assertTrue(not is_valid_ip('4.4.4.4<'))
         self.assertTrue(not is_valid_ip(' 127.0.0.1'))
+        self.assertTrue(not is_valid_ip(''))
+        self.assertTrue(not is_valid_ip(' '))
+        self.assertTrue(not is_valid_ip('\n'))
+        self.assertTrue(not is_valid_ip('\x00'))
-- 
2.47.2