Do not allow IP address in HSTS list

As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo/servo#6105
2025-08-03 12:40:06 +01:00 · 2015-06-22 14:59:28 -07:00 · 2015-06-22 14:59:28 -07:00 · 72d4433587
commit 72d4433587
parent d2f35555b9
2 changed files with 33 additions and 5 deletions
--- a/components/net/resource_task.rs
+++ b/components/net/resource_task.rs
@ -26,17 +26,22 @@ use hyper::mime::{Mime, TopLevel, SubLevel};

 use rustc_serialize::json::{decode};

+use regex::Regex;
 use std::borrow::ToOwned;
 use std::boxed::FnBox;
 use std::collections::HashMap;
 use std::env;
 use std::fs::File;
 use std::io::{BufReader, Read};
-use std::str::{FromStr, from_utf8};
+use std::str::{from_utf8};
 use std::sync::Arc;
 use std::sync::mpsc::{channel, Receiver, Sender};

 static mut HOST_TABLE: Option<*mut HashMap<String, String>> = None;
+static IPV4_REGEX: Regex = regex!(
+    r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
+);
+static IPV6_REGEX: Regex = regex!(r"^([a-fA-F0-9]{0,4}[:]?){1,8}(/\d{1,3})?$");

 pub fn global_init() {
    //TODO: handle bad file path
@ -240,6 +245,10 @@ impl HSTSList {
    }

    pub fn push(&mut self, host: String, include_subdomains: bool) {
+        if IPV4_REGEX.is_match(&host) || IPV6_REGEX.is_match(&host) {
+            return
+        }
+
        let have_domain = self.has_domain(host.clone());
        let have_subdomain = self.has_subdomain(host.clone());

@ -288,16 +297,13 @@ impl HSTSList {
 }

 pub fn parse_hostsfile(hostsfile_content: &str) -> Box<HashMap<String, String>> {
-    let ipv4_regex = regex!(
-        r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
-    let ipv6_regex = regex!(r"^([a-fA-F0-9]{0,4}[:]?){1,8}(/\d{1,3})?$");
    let mut host_table = HashMap::new();
    let lines: Vec<&str> = hostsfile_content.split('\n').collect();

    for line in lines.iter() {
        let ip_host: Vec<&str> = line.trim().split(|c: char| c == ' ' || c == '\t').collect();
        if ip_host.len() > 1 {
-            if !ipv4_regex.is_match(ip_host[0]) && !ipv6_regex.is_match(ip_host[0]) { continue; }
+            if !IPV4_REGEX.is_match(ip_host[0]) && !IPV6_REGEX.is_match(ip_host[0]) { continue; }
            let address = ip_host[0].to_owned();

            for token in ip_host.iter().skip(1) {
--- a/tests/unit/net/resource_task.rs
+++ b/tests/unit/net/resource_task.rs
@ -19,6 +19,28 @@ fn test_exit() {
    resource_task.send(ControlMsg::Exit).unwrap();
 }

+#[test]
+fn test_push_entry_to_hsts_list_should_not_add_ipv6_addresses() {
+    let mut list = HSTSList {
+        entries: Vec::new()
+    };
+
+    list.push("2001:0db8:0000:0000:0000:ff00:0042:8329".to_string(), false);
+
+    assert!(list.entries.len() == 0)
+}
+
+#[test]
+fn test_push_entry_to_hsts_list_should_not_add_ipv4_addresses() {
+    let mut list = HSTSList {
+        entries: Vec::new()
+    };
+
+    list.push("8.8.8.8".to_string(), false);
+
+    assert!(list.entries.len() == 0)
+}
+
 #[test]
 fn test_push_entry_to_hsts_list_should_not_add_subdomains_whose_superdomain_is_already_matched() {
    let mut list = HSTSList {