Reject non-IPv4 domains that end in numbers

MattMenke2 · domenic · TimothyGu · web-flow · commit ab0e820b0b55 · 2021-08-05T16:53:18.000+02:00
If the last domain label of a URL's domain is numeric, it's parsed as IPv4, and if that fails, it's rejected. E.g., "foo.0", "bar.0.09", "a.1.2.0x.", "1.2.3.4.5" were all previously considered valid non-IPv4 domains, but are now all rejected. Tests: web-platform-tests/wpt#29666. Fixes #560. Co-authored-by: Domenic Denicola <d@domenic.me> Co-authored-by: Timothy Gu <timothygu99@gmail.com> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
diff --git a/url.bs b/url.bs
@@ -655,17 +655,45 @@ runs these steps:
  <li><p>If <var>asciiDomain</var> contains a <a>forbidden host code point</a>,
  <a>validation error</a>, return failure.
 
- <li><p>Let <var>ipv4Host</var> be the result of <a lt="IPv4 parser">IPv4 parsing</a>
- <var>asciiDomain</var>.
-
- <li><p>If <var>ipv4Host</var> is an <a>IPv4 address</a> or failure, return
- <var>ipv4Host</var>.
+ <li><p>If <var>asciiDomain</var> <a lt="ends in a number checker">ends in a number</a>, then return
+ the result of <a lt="IPv4 parser">IPv4 parsing</a> <var>asciiDomain</var>.
 
  <li><p>Return <var>asciiDomain</var>.
 </ol>
 
 <hr>
 
+<p>The <dfn>ends in a number checker</dfn> takes a string <var>input</var> and then runs these
+steps:
+
+<ol>
+ <li><p>Let <var>parts</var> be the result of <a>strictly splitting</a> <var>input</var> on
+ U+002E (.).
+
+ <li>
+  <p>If the last <a for=list>item</a> in <var>parts</var> is the empty string, then:
+
+  <ol>
+   <li><p>If <var>parts</var>'s <a for=list>size</a> is 1, then return false.
+
+   <li><p><a for=list>Remove</a> the last <a for=list>item</a> from <var>parts</var>.
+  </ol>
+
+ <li><p>Let <var>last</var> be the last <a for=list>item</a> in <var>parts</var>.
+
+ <li><p>If parsing <var>last</var> as an <a lt="IPv4 number parser">IPv4 number</a> does not
+ return failure, then return true.
+
+ <li>
+  <p>If <var>last</var> is non-empty and contains only <a>ASCII digits</a>, then return true.
+
+  <p class=note>This can happen if <var>last</var> starts with "<code>0</code>" so the
+  <a lt="IPv4 number parser">IPv4 number parser</a> tries to parse it as octal, but it is not a
+  valid octal number, as is the case with, for example, "<code>09</code>".
+
+ <li><p>Return false.
+</ol>
+
 <p>The <dfn id=concept-ipv4-parser>IPv4 parser</dfn> takes a string <var>input</var> and then runs
 these steps:
 
@@ -692,24 +720,19 @@ these steps:
         but if it somehow is this conditional makes sure we can keep going. -->
   </ol>
 
- <li><p>If <var>parts</var>'s <a for=list>size</a> is greater than 4, then return <var>input</var>.
+ <li><p>If <var>parts</var>'s <a for=list>size</a> is greater than 4, <a>validation error</a>,
+ return failure.
 
  <li><p>Let <var>numbers</var> be an empty <a for=/>list</a>.
 
  <li>
   <p><a for=list>For each</a> <var>part</var> of <var>parts</var>:
 
   <ol>
-   <li>
-    <p>If <var>part</var> is the empty string, then return <var>input</var>.
-
-    <p class="example no-backref" id=example-c2afe535><code>0..0x300</code> is a
-    <a>domain</a>, not an <a>IPv4 address</a>.
-
    <li><p>Let <var>result</var> be the result of <a lt="IPv4 number parser">parsing</a>
    <var>part</var>.
 
-   <li><p>If <var>result</var> is failure, then return <var>input</var>.
+   <li><p>If <var>result</var> is failure, <a>validation error</a>, return failure.
 
    <li><p>If <var>result</var>[1] is true, then set <var>validationError</var> to true.
 
@@ -754,6 +777,8 @@ these steps:
 <p>The <dfn>IPv4 number parser</dfn> takes a string <var>input</var> and then runs these steps:
 
 <ol>
+ <li><p>If <var>input</var> is the empty string, then return failure.
+
  <li><p>Let <var>validationError</var> be false.
 
  <li><p>Let <var>R</var> be 10.
