Closed Bug 1404349 Opened 3 years ago Closed 3 years ago

"moderately restrictive" IDN spoofing with U+05B4 (Hebrew NSM) despite fix for bug 1370497

Categories

(Firefox :: Address Bar, defect)

57 Branch
Unspecified
macOS
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Firefox 58
Tracking Status
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- disabled
firefox58 --- verified

People

(Reporter: chromium.khalil, Assigned: jfkthame)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [post-critsmash-triage] masked/fixed by bug 1399939)

Attachments

(2 files)

Firefox should not allows mixing latin with hebrew character as last fix in bug 1370497.

http://www.gooִgle.com (U+05B4)
How is this not a duplicate of bug 1370497? In nightly I get Punycode.
Flags: needinfo?(chromium.khalil)
(In reply to Daniel Veditz [:dveditz] from comment #1)
> How is this not a duplicate of bug 1370497? In nightly I get Punycode.

I was able to repro it before fix bug 1399939, also, on Chrome they disallowed Arabic/Hebrew NSMs not only Arabic https://bugs.chromium.org/p/chromium/issues/detail?id=729979#c18.
Flags: needinfo?(chromium.khalil)
STR: set the pref network.IDN.restriction_profile to "moderate" (the default before bug 1399939 changed it to "high") and open the link from comment 0: http://www.gooִgle.com

(In reply to Khalil Zhani from comment #2)
> on Chrome they disallowed Arabic/Hebrew NSMs not only Arabic

The fix in bug 1370497 was not specific to Arabic, although the testcase was.

Jonathan: why is U+05B4 slipping through that code? They appear to be marked similarly in the Unicode tables:

05B4;HEBREW POINT HIRIQ;Mn;14;NSM;;;;;N;;;;;
0650;ARABIC KASRA;Mn;32;NSM;;;;;N;ARABIC KASRAH;;;;

It's a little bit of a moot point since bug 1399939 has landed and also seems to prevent this, but I worry we're missing something here.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jfkthame)
Summary: URL spoofing with using Latin + Hebrew character → "moderately restrictive" IDN spoofing with U+05B4 (Hebrew NSM) despite fix for bug 1370497
Whiteboard: masked/fixed by bug 1399939
There's a bug in the patch that landed in bug 1370497: it works as intended for diacritics that have Script=INHERITED as their primary Unicode script property (which includes the Arabic vowels that are also used in Syriac, for example); but fails for diacritics that have a specific Script property (such as this Hebrew example), because in that case, the `lastScript` variable has already been updated to the Script value of the diacritic before the new check is performed.

It's easy to fix this, by deferring the update of the `lastScript` variable until the end of the loop, after the diacritic-script check has been done (if applicable).
Flags: needinfo?(jfkthame)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Attachment #8916426 - Flags: review?(valentin.gosu) → review+
https://hg.mozilla.org/mozilla-central/rev/e92d092fdacc
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → Firefox 58
Group: firefox-core-security → core-security-release
Although a valid bug in our earlier fix, it was also effectively "fixed" by bug 1399939 and unfortunately does not warrant a bounty.
Whiteboard: masked/fixed by bug 1399939 → [post-critsmash-triage] masked/fixed by bug 1399939
I reproduced this issue on Nightly 58.0a1 (2017-09-29) under macOS 10.13, using steps from comment 3. The issue is fixed on Release 58.0, Beta 58.0b16 and on latest Nightly (2018-01-22) under macOS 10.13, macOS 10.12 and OS X 10.11.
Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.