Closed Bug 293202 Opened 19 years ago Closed 19 years ago

displays unicode instead of punycode

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 264610

People

(Reporter: bb+bugzilla, Assigned: darin.moz)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050506 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050506 Firefox/1.0+

For security reasons it's important to display punycode instead of unicode domains.
But on some domains, Firefox shows unicode in the Location Bar instead of punycode.
Unfortunately I only found 2 URLs where the bug seams to exist: http://öamtc.at
and http://mühlheim.de
I've successfully tested this Bug on following Firefoxes (and on everyone I was
able to reproduce it):
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050506
Firefox/1.0+
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050421 Firefox/1.0.3
(Debian package 1.0.3-2)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3

It seams, that Firefox only displays Unicode in the Location Bar. If you look at
"View Page Info", punycode is being displayed.
If this Bug appears also in Domains with a kyrillc a for example it could become
a big security bug.

Reproducible: Always

Steps to Reproduce:
1.Go to about:config and make sure, that network.IDN_show_punycode is set to true
2.Enter http://öamtc.at or http://mühlheim.de in your Location Bar.
3.Look at your Location Bar
Actual Results:  
Unicode is being display in the Location bar.

Expected Results:  
Normally Unicode should be displayed.
Ugh. It seams that bugzilla is having problems with german umlauts.
The URL is http://öamtc.at (maybe it's now working?)
If it's not working try google for the keyword "oamtc" and take the IDN. (or if
you have a german Keyboard just type the oe-umlaut)
Worksforme, trunk Linux build (my own build).
Assignee: nobody → darin
Component: Location Bar and Autocomplete → Networking
Product: Firefox → Core
QA Contact: location.bar → benc
Version: unspecified → Trunk
This is a domain-guessing issue. If you put your cursor in the url bar and hit
ESC it will switch to the real URL loaded which is not <blah>.com but actually
www.<punycode-blah>.com

It's not an issue from clicked (or dragged) links it doesn't enable phishing.
The scammer would have to get people to copy and paste the url to fool them, but
that's pretty suspicious to start.

*** This bug has been marked as a duplicate of 264610 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.