Closed
Bug 1404349
Opened 7 years ago
Closed 7 years ago
"moderately restrictive" IDN spoofing with U+05B4 (Hebrew NSM) despite fix for bug 1370497
Categories
(Firefox :: Address Bar, defect)
Tracking
()
VERIFIED
FIXED
Firefox 58
People
(Reporter: chromium.khalil, Assigned: jfkthame)
References
Details
(Keywords: csectype-spoof, sec-moderate, Whiteboard: [post-critsmash-triage] masked/fixed by bug 1399939)
Attachments
(2 files)
243.90 KB,
image/png
|
Details | |
2.83 KB,
patch
|
valentin
:
review+
|
Details | Diff | Splinter Review |
Firefox should not allows mixing latin with hebrew character as last fix in bug 1370497. http://www.gooִgle.com (U+05B4)
Comment 1•7 years ago
|
||
How is this not a duplicate of bug 1370497? In nightly I get Punycode.
Flags: needinfo?(chromium.khalil)
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1) > How is this not a duplicate of bug 1370497? In nightly I get Punycode. I was able to repro it before fix bug 1399939, also, on Chrome they disallowed Arabic/Hebrew NSMs not only Arabic https://bugs.chromium.org/p/chromium/issues/detail?id=729979#c18.
Flags: needinfo?(chromium.khalil)
Comment 3•7 years ago
|
||
STR: set the pref network.IDN.restriction_profile to "moderate" (the default before bug 1399939 changed it to "high") and open the link from comment 0: http://www.gooִgle.com (In reply to Khalil Zhani from comment #2) > on Chrome they disallowed Arabic/Hebrew NSMs not only Arabic The fix in bug 1370497 was not specific to Arabic, although the testcase was. Jonathan: why is U+05B4 slipping through that code? They appear to be marked similarly in the Unicode tables: 05B4;HEBREW POINT HIRIQ;Mn;14;NSM;;;;;N;;;;; 0650;ARABIC KASRA;Mn;32;NSM;;;;;N;ARABIC KASRAH;;;; It's a little bit of a moot point since bug 1399939 has landed and also seems to prevent this, but I worry we're missing something here.
Status: UNCONFIRMED → NEW
status-firefox56:
--- → affected
status-firefox57:
--- → disabled
status-firefox-esr52:
--- → wontfix
Ever confirmed: true
Flags: needinfo?(jfkthame)
Summary: URL spoofing with using Latin + Hebrew character → "moderately restrictive" IDN spoofing with U+05B4 (Hebrew NSM) despite fix for bug 1370497
Whiteboard: masked/fixed by bug 1399939
Updated•7 years ago
|
status-firefox58:
--- → disabled
Keywords: csectype-spoof,
sec-moderate
Assignee | ||
Comment 4•7 years ago
|
||
There's a bug in the patch that landed in bug 1370497: it works as intended for diacritics that have Script=INHERITED as their primary Unicode script property (which includes the Arabic vowels that are also used in Syriac, for example); but fails for diacritics that have a specific Script property (such as this Hebrew example), because in that case, the `lastScript` variable has already been updated to the Script value of the diacritic before the new check is performed. It's easy to fix this, by deferring the update of the `lastScript` variable until the end of the loop, after the diacritic-script check has been done (if applicable).
Flags: needinfo?(jfkthame)
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8916426 -
Flags: review?(valentin.gosu)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Updated•7 years ago
|
Attachment #8916426 -
Flags: review?(valentin.gosu) → review+
Comment 6•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e92d092fdacc
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → Firefox 58
Updated•7 years ago
|
Group: firefox-core-security → core-security-release
Updated•7 years ago
|
Flags: sec-bounty?
Comment hidden (obsolete) |
Comment 8•7 years ago
|
||
Although a valid bug in our earlier fix, it was also effectively "fixed" by bug 1399939 and unfortunately does not warrant a bounty.
Updated•6 years ago
|
Whiteboard: masked/fixed by bug 1399939 → [post-critsmash-triage] masked/fixed by bug 1399939
Comment 9•6 years ago
|
||
I reproduced this issue on Nightly 58.0a1 (2017-09-29) under macOS 10.13, using steps from comment 3. The issue is fixed on Release 58.0, Beta 58.0b16 and on latest Nightly (2018-01-22) under macOS 10.13, macOS 10.12 and OS X 10.11.
Status: RESOLVED → VERIFIED
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•