Closed Bug 479336 (CVE-2009-0652) Opened 15 years ago Closed 15 years ago

IDN blacklist needs to include box-drawing characters

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: dveditz, Assigned: dveditz)

Details

(Keywords: fixed1.8.1.21, fixed1.9.1, verified1.9.0.9, Whiteboard: [sg:low])

Attachments

(2 files)

patch - v1
2.21 KB, patch
dveditz
: review+
benjamin
: approval1.9.1+
dveditz
: approval1.9.0.9+
dveditz
: approval1.8.1.next+
Details | Diff | Splinter Review
1.8.0 version
1.85 KB, patch
Details | Diff | Splinter Review 
The IDN code contains a blacklist of characters that are confusingly similar to others that automatically kick us into the punycode display. This is stored as the pref "network.IDN.blacklist_chars".

Apparently we're missing the box-drawing characters, and a recent talk at blackhat DC appears to have taken advantage of that to spoof an SSL connection to a bank.
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

Since it's just a screen shot I can't be sure, but I can reproduce the results with those characters.
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.8?
Flags: blocking1.8.1.next?
Whiteboard: [sg:low]
Specifically I meant 
 2571 BOX DRAWING LIGHT DIAGONAL UPPER RIGHT TO LOWER LEFT

There are other potential omissions from the list, characters that look similar to other characters we've already included. Should maybe consider
 066A ARABIC PERCENT SIGN 
   (and maybe 0609 and 060A depending on font)
 2052 COMMERCIAL MINUS SIGN
both are percent signs with tiny dots, which on my system/font made a pretty good slash in the URL field.
 2041 CARET INSERTION POINT (looks like a slash with a smudge on the bottom)

If we've included 05C3 HEBREW PUNCTUATION SOF PASUQ because it looks like a colon, shouldn't we also have
 02D0 MODIFIER LETTER TRIANGULAR COLON
 0589 ARMENIAN FULL STOP
 2236 RATIO
 A789 MODIFIER LETTER COLON

We've got 0702 SYRIAC SUBLINEAR FULL STOP. We might want to look into
 0701 SYRIAC SUPRALINEAR FULL STOP    (I doubt this one)
 0703 SYRIAC SUPRALINEAR COLON
 0704 SYRIAC SUBLINEAR COLON

We're inconsistent about fractions. We block on xBC and xBD but not xBE, and in the range 2153-215F which are all fractions we reject seven and allow six.

One that doesn't work in my font but shows up in the Unicode charts as a slash-like char is
 1735 PHILIPPINE SINGLE PUNCTUATION

In any case, we need to add 2571.
Yep, chuck them all in. If we find a letter that has this problem, we may have to stop and ask more questions, but if it's punctuation, I have no problem adding it.

Gerv
Flags: blocking1.8.1.next?
Assignee: nobody → dveditz
Flags: blocking1.9.0.8? → blocking1.9.0.8+
Many of those punctuation characters probably would have been coalesced under NAMEPREP had they existed in earlier Unicode versions. Looks like the IETF is in the process of standardizing "IDNA2008" to replace the earlier IDNA2003 (rfc 3490,3491,3492) we're following.

I filed bug 479520 on looking into that for a future version, for now we should just blacklist these characters.

I didn't find any characters scarier than what Moxie Marlinspike revealed at BlackHat, unhiding this bug to reduce duplicate filings.
Group: core-security
Attached patch patch - v1Splinter Review 

        Attachment #363436 -
        Flags: review?(gerv)

    
    

    
  
Comment on attachment 363436 [details] [diff] [review]
patch - v1

r=dveditz

This much looks good.

        Attachment #363436 -
        Flags: review?(gerv) → review+

    
  

        Attachment #363436 -
        Flags: approval1.9.1?

        Attachment #363436 -
        Flags: approval1.9.0.8?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/a884555d99c5
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1

    
    

    
  
Comment on attachment 363436 [details] [diff] [review]
patch - v1

approved for 1.8.1.21 and 1.9.0.8, a=dveditz for release-drivers

        Attachment #363436 -
        Flags: approval1.9.0.8?

        Attachment #363436 -
        Flags: approval1.9.0.8+

        Attachment #363436 -
        Flags: approval1.8.1.next+

    
  
Keywords: checkin-needed

    
    

    
  
Fix checked into the 1.8 branch
Keywords: fixed1.8.1.21

    
    

    
  
Fix checked into the 1.9.0 branch
Keywords: fixed1.9.0.8

    
  
Keywords: checkin-needed

    
  
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2

    
  

        Attachment #363436 -
        Flags: approval1.9.1? → approval1.9.1+

    
    

    
  
Verified that fix is checked in for 1.9.0.
Keywords: fixed1.9.0.9verified1.9.0.9

    
  
Alias: CVE-2009-0652

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: