Closed
Bug 1507617
Opened 7 years ago
Closed 7 years ago
IDN spoofing: Πmixed with latin should trigger punycode
Categories
(Firefox :: Address Bar, defect)
Firefox
Address Bar
Tracking
()
RESOLVED
DUPLICATE
of bug 1507582
People
(Reporter: avkovaleff, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
38.81 KB,
image/png
|
Details |
2018-11-16_00-41-28.png
Hello, seems that Firefox has issue with IDN check for U+0152 sybol in unicode.
For example,
Expected conversion in omnibox: https://faŒbook.com => https://xn--fabook-jhb.com/
Actual: https://faŒbook.com => https://faŒbook.com. Please, check attached screenshot.
Version: 63.0.1 (64-bit)
Flags: sec-bounty?
|
||
Comment 1•7 years ago
|
||
(In reply to Andrey from comment #0)
> Expected conversion in omnibox: https://faŒbook.com =>
> https://xn--fabook-jhb.com/
Why is this expected?
Component: Security → Address Bar
Flags: needinfo?(avkovaleff)
|
|
||
Updated•7 years ago
|
Summary: Security: Omnibox url spoofing → IDN spoofing: Œ mixed with latin should trigger punycode
|
||
Comment 2•7 years ago
|
||
Duplicate of bug 1332714? Pretty sure we don't consider this a security bug.
|
|
||
Comment 3•7 years ago
|
||
(In reply to Anne (:annevk) from comment #2)
> Duplicate of bug 1332714? Pretty sure we don't consider this a security bug.
That one's fully-cyrillic IDN that looks like latin, right? This seems to be latin mixed with some more latin (just... 'exotic' latin, if you can call French exotic, cf. https://en.wiktionary.org/wiki/c%C5%93liaque vs. https://en.wiktionary.org/wiki/coeliaque ).
|
|
||
Comment 4•7 years ago
|
||
I guess. None of this seems very different from app1e.com vs apple.com, or microsoft.com vs rnicrosoft.com or some such, and I'm not sure we need to track them by category. If we ever want to fix it, we should have a fix that works for all of them (e.g., bug 1376641).
|
|
||
Comment 5•7 years ago
|
||
(In reply to Anne (:annevk) from comment #4)
> I guess. None of this seems very different from app1e.com vs apple.com, or
> microsoft.com vs rnicrosoft.com or some such, and I'm not sure we need to
> track them by category. If we ever want to fix it, we should have a fix that
> works for all of them (e.g., bug 1376641).
Right. I guess I'm trying to stay open to the idea that there's some that can be specifically addressed without coming up with the more general fix. In this case, I'm not convinced that that's the case here, though I did notice chrome uses punycode here, though I don't understand why.
|
||
Comment 6•7 years ago
|
||
I don't think this is a bug; Œ or œ is a perfectly legitimate Latin-script character, and a domain name like http://cœur.com/ is quite reasonable.
(Aside: http://cœur.com/ displays punycode in the tab title for me, in both Firefox and Chrome, although it shows the expected Unicode in the URL bar (again, in both browsers). Is it intended that tab titles play by different rules?)
|
|
||
Comment 7•7 years ago
|
||
Oh, never mind that: the page at http://cœur.com/ has an explicit <title>xn--cur-fya.com</title> that explains the tab title.
Chromium converts such domain to https://xn--fabook-jhb.com, because facebook.com in in AlexaTop10k. Their view depends not only from symbols but also from domain unicode skeleton.
Flags: needinfo?(avkovaleff)
|
|
||
Updated•7 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•