Skip to content

Uri.parseIPv4Address accepts IPv4 addresses with arbitrary number of leading zeroes while InternetAddress.tryParse does not. #61392

Closed
Closed
Uri.parseIPv4Address accepts IPv4 addresses with arbitrary number of leading zeroes while InternetAddress.tryParse does not.#61392
Assignees
lrhn
Labels
area-core-librarySDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.library-coretype-bugIncorrect behavior (everything from a crash to more subtle misbehavior)
@elliotwutingfeng

Description

@elliotwutingfeng
elliotwutingfeng
opened on Aug 24, 2025
import 'dart:io';

void main() {
  const String normalIp = '123.1.1.1';
  print(Uri.parseIPv4Address(normalIp));
  print(InternetAddress.tryParse(normalIp));
  // Output
  // [123, 1, 1, 1]
  // InternetAddress('123.1.1.1', IPv4)

  final String lotsOfLeadingZeroesIp = '${'0' * 10_000_000}123.1.1.1';
  print(Uri.parseIPv4Address(lotsOfLeadingZeroesIp));
  print(InternetAddress.tryParse(lotsOfLeadingZeroesIp));
  // Output
  // [123, 1, 1, 1]
  // null
}

Passing a IPv4 string with a large number of leading zeroes in any of the octets to Uri.parseIPv4Address would lead to long parsing time and high memory usage. This may be a security concern. Uri.parseIPv6Address is also affected (for the trailing IPv4 part of the IPv6 address).

InternetAddress.tryParse however rejects leading zeroes and is not affected.

Should Uri.parseIPv4Address be changed to match the behavior of InternetAddress.tryParse? It may affect users who use it to parse IPv4 addresses in octal form.

Tested on Dart 3.9.0 (stable) on "linux_x64"

Metadata

Metadata

Assignees

Labels

area-core-librarySDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.library-coretype-bugIncorrect behavior (everything from a crash to more subtle misbehavior)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions