Closed
Bug 1367442
Opened 7 years ago
Closed 7 years ago
IDN URL Spoofing with TIFINAGH LETTER YAN
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: rbcomic12, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170518000419 Steps to reproduce: there are some letters which are exactly look alike, I don't know if they're allowed or not but if they're allowed then we've got a serious problem over here. For example: -) “ⵏ” U+2D4F --> http://xn--appe-220c.com/ ( http://appⵏe.com ) Actual results: In the above example; It is extremely difficult (nearly impossible) to distinguish b/w apple.com AND http://xn--appe-220c.com/ Expected results: It should covert it into punnycode.
Comment 1•7 years ago
|
||
This is a mixed script domain, so it shouldn't work... But if I put xn--appe-220c.com into my "localhosts" file, it does indeed seem to. Unless we use different behaviour for that, this seems wrong. This character should not be allowed according to: http://www.unicode.org/Public/security/latest/IdentifierStatus.txt or even http://www.unicode.org/Public/security/8.0.0/xidmodifications.txt jfkthame: over to you again... Why are we allowing this character at all, and why is our script-mixing code not firing? Gerv
Flags: needinfo?(jfkthame)
Comment 2•7 years ago
|
||
Basically the same answer as bug 1364283 comment 3: Tifinagh is "Aspirational Use" (http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts), and therefore allowed to be mixed with Latin in the Moderately Restrictive profile (http://www.unicode.org/reports/tr39/#Restriction_Level_Detection). This will be changing in the forthcoming update to UAX#31, and the patch just landed in bug 1364283 implements the change (in anticipation) in Firefox, so that should resolve the issue. (FWIW, the example in comment 0 doesn't seem problematic on my machine, as the “ⵏ” character is visibly quite different from a Latin "l". But that would be dependent on the particular fonts; the result probably varies between systems.)
Flags: needinfo?(jfkthame)
Comment 3•7 years ago
|
||
This appears to be fixed by bug 1364283
Group: firefox-core-security → network-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Component: Untriaged → Networking
Depends on: CVE-2017-7764
Product: Firefox → Core
Resolution: --- → FIXED
Updated•7 years ago
|
Group: network-core-security → core-security-release
Updated•7 years ago
|
Flags: sec-bounty?
Comment 4•7 years ago
|
||
This is effectively a duplicate of the issues raised by bug 1364283, reported on May 11, so does not qualify for bounty. The patch on bug 1364283 fixed this issue when it was checked in today.
Flags: sec-bounty? → sec-bounty-
Can you cc me on the respective bug?
Flags: needinfo?(mcmanus)
Comment 6•7 years ago
|
||
(In reply to rbcomic12 from comment #5) > Can you cc me on the respective bug? I'll leave that up to al. Thanks for the report.
Flags: needinfo?(mcmanus) → needinfo?(abillings)
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•