Closed Bug 309133 Opened 19 years ago Closed 19 years ago

Even more IDN URL-appearance-spoofing threat candidates

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 309311
Milestone:
mozilla1.8beta5

People

(Reporter: usenet, Assigned: darin.moz)

References

Details

(Whiteboard: [sg:dupe 309311])

Attachments

(1 file)

HTML page containing test case links
7.30 KB, text/html
Details 
Many of the Unicode characters given in the HTML example below result in
potentially spoof-friendly display behavior in the location bar (spacing
characters) or non-display of these characters, or complete breakage of the
location bar display. Most do not generate DNS lookups, but some do, and in a
few cases, with DNS names that do not match the apparent URL displayed in the
location bar.

Note: The Unicode characters are all of those containing "SPACE" or "FILLER" in
their canonical names. 

1 Load the attached HTML page in Firefox
2 Click on the links
3 Look at the anomalous behavior in the location bar for many of these: 
* some are displayed as spaces: if there were enough of these space-like
characters, they would push the rest of the URL out of the right side of the
location bar
* others are not displayed at all, but still appear in the DNS lookup; 
* yet others appear to completely break the location bar display, making it just
say "ht" and nothing else 
4 Note that some of these generate DNS lookups as well as displaying misleading
content
This is the HTML page referred in the bug report.
Assignee: nobody → darin
Component: Security → Networking
Flags: blocking1.9a1?
Flags: blocking1.8b5?
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → Trunk
Flags: blocking1.8b5? → blocking1.8b5+
Whiteboard: [sg:fix] → [sg:spoof]
I don't see complete breakage of the location bar, but this lot should
definitely be added to the blacklist. Patch, please :-)

Gerv

Location bar breakage observed with Firefox 1.5b1 running on SuSE 9.1 upgraded
to KDE 3.4.2 and X.org X server.

Other spacing characters that should be added to any blacklist are 
U+2000 EN QUAD
U+2001 EM QUAD 

Another data point:

According to page 3 of "Ordering Rules for Hagul",
http://www.open-std.org/jtc1/sc22/wg20/docs/n891r-hangulsort10a.pdf, 
dated 2001, by Kent Karlsson:

"The two Hangul filler characters should normally not be explicitly used."

apparently referring to 

U+115F HANGUL CHOSEONG FILLER
U+1160 HANGUL JUNGSEOUNG FILLER 

which, incidentally, both completely break the rendering of nearby text in my
copy of Firefox 1.5b1 running on Linux. Apparently, these characters are to be
used as "virtual" characters in the internal mechanics of the renderer, rather
than encoded in exchangeable text streams.

Perhaps not coincidentally, the two other characters that screw up rendering in
my test are...

U+3164 HANGUL FILLER 
U+FFA0 HALFWIDTH HANGUL FILLER 

We need some input from Korean-language Unicode specialists about whether we any
of these characters are ever valid in properly-encoded Hangul Unicode text.
Target Milestone: --- → mozilla1.8beta5
Depends on: 307438
Bug 309311 has the canonical list of chars we are going to ban, including all of
those from this bug. We are going to use that set of chars as soon as bug
307438, which allows us to insert them into prefs.js in a sensible way, is fixed.

Gerv

*** This bug has been marked as a duplicate of 309311 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.9a1?
Flags: blocking1.8b5+
Group: security
Whiteboard: [sg:spoof] → [sg:dupe 309311]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: