IPy suffers from a blacklist bypass vulnerability.
52330e16a8c0db217b73de740ed229579f3d9b070a700c148046face2ef36557
IPy is a Python "class and tools for handling of IPv4 and IPv6 addresses
and networks" (https://github.com/haypo/python-ipy). This library is
sometimes used to implement blacklists forbidding internal, private or
loopback addresses.
Using octal encoding (supported by urllib2), it is possible to bypass
checks based on the result of the iptype() function. For example, IP
address '0177.0000.0000.0001' is considered as 'PUBLIC' but resolves to
'127.0.0.1' when accessed via urllib2.
Developers were informed, no news since then... More details on my blog:
http://www.agarri.fr/kom/archives/2014/10/15/bypassing_blacklists_based_on_ipy/index.html
Cheers,
Nicolas Grégoire