Closed
Bug 309133
Opened 19 years ago
Closed 19 years ago
Even more IDN URL-appearance-spoofing threat candidates
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 309311
mozilla1.8beta5
People
(Reporter: usenet, Assigned: darin.moz)
References
Details
(Whiteboard: [sg:dupe 309311])
Attachments
(1 file)
7.30 KB,
text/html
|
Details |
Many of the Unicode characters given in the HTML example below result in potentially spoof-friendly display behavior in the location bar (spacing characters) or non-display of these characters, or complete breakage of the location bar display. Most do not generate DNS lookups, but some do, and in a few cases, with DNS names that do not match the apparent URL displayed in the location bar. Note: The Unicode characters are all of those containing "SPACE" or "FILLER" in their canonical names. 1 Load the attached HTML page in Firefox 2 Click on the links 3 Look at the anomalous behavior in the location bar for many of these: * some are displayed as spaces: if there were enough of these space-like characters, they would push the rest of the URL out of the right side of the location bar * others are not displayed at all, but still appear in the DNS lookup; * yet others appear to completely break the location bar display, making it just say "ht" and nothing else 4 Note that some of these generate DNS lookups as well as displaying misleading content
Reporter | ||
Comment 1•19 years ago
|
||
This is the HTML page referred in the bug report.
Updated•19 years ago
|
Assignee: nobody → darin
Component: Security → Networking
Flags: blocking1.9a1?
Flags: blocking1.8b5?
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → Trunk
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:spoof]
Comment 2•19 years ago
|
||
I don't see complete breakage of the location bar, but this lot should definitely be added to the blacklist. Patch, please :-) Gerv
Reporter | ||
Comment 3•19 years ago
|
||
Location bar breakage observed with Firefox 1.5b1 running on SuSE 9.1 upgraded to KDE 3.4.2 and X.org X server.
Reporter | ||
Comment 4•19 years ago
|
||
Other spacing characters that should be added to any blacklist are U+2000 EN QUAD U+2001 EM QUAD
Reporter | ||
Comment 5•19 years ago
|
||
Another data point: According to page 3 of "Ordering Rules for Hagul", http://www.open-std.org/jtc1/sc22/wg20/docs/n891r-hangulsort10a.pdf, dated 2001, by Kent Karlsson: "The two Hangul filler characters should normally not be explicitly used." apparently referring to U+115F HANGUL CHOSEONG FILLER U+1160 HANGUL JUNGSEOUNG FILLER which, incidentally, both completely break the rendering of nearby text in my copy of Firefox 1.5b1 running on Linux. Apparently, these characters are to be used as "virtual" characters in the internal mechanics of the renderer, rather than encoded in exchangeable text streams. Perhaps not coincidentally, the two other characters that screw up rendering in my test are... U+3164 HANGUL FILLER U+FFA0 HALFWIDTH HANGUL FILLER We need some input from Korean-language Unicode specialists about whether we any of these characters are ever valid in properly-encoded Hangul Unicode text.
Assignee | ||
Updated•19 years ago
|
Target Milestone: --- → mozilla1.8beta5
Comment 6•19 years ago
|
||
Bug 309311 has the canonical list of chars we are going to ban, including all of those from this bug. We are going to use that set of chars as soon as bug 307438, which allows us to insert them into prefs.js in a sensible way, is fixed. Gerv *** This bug has been marked as a duplicate of 309311 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Flags: blocking1.9a1?
Flags: blocking1.8b5+
Updated•18 years ago
|
Group: security
Whiteboard: [sg:spoof] → [sg:dupe 309311]
You need to log in
before you can comment on or make changes to this bug.
Description
•