Some Unicode characters can generate bogus ASCII in domain names

RESOLVED DUPLICATE of bug 316444

Status

()

Core
Networking
RESOLVED DUPLICATE of bug 316444
12 years ago
11 years ago

People

(Reporter: Neil Harris, Assigned: Darin Fisher)

Tracking

(Blocks: 1 bug)

Trunk
x86
Linux
Points:
---
Bug Flags:
blocking1.8b5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 316444])

(Reporter)

Description

12 years ago
Normalization of some FQDN labels can give rise to all-ASCII strings which
contain characters which are illegal in RFC 1035 domain names, for example,
slash characters. 

See bug 309128 for test cases, and in particular the test case in bug 308800.

This appears to be due to some _non-ASCII_ Unicode characters being mapped by
NAMEPREP _into ASCII characters_, including punctuation characters, thus
resulting in all-ASCII strings containing bogus DNS characters, even when no
such characters appear in the input. The Punycode logic then passes them right
through to the DNS logic.

Presumably the the bug arises from the illegal
character check currently being carried out before NAMEPREP normalization of the
FQDN labels: it should clearly be carried out _after_ NAMEPREP normalization. Or
perhaps the code is even cruder, and just blindly trusts the URL parser to catch
all illegal characters at parse time -- which would be a bad idea, since such a
parser is inevitably complex, and likely to be a place where obscure bugs may
remain hidden for long periods.
(Reporter)

Comment 1

12 years ago
This has been filed as a more fine-grained bug to deal with one specific issue
from bug 309128, namely the smuggling of bogus ASCII characters through the DNS
name/hostname code.

Updated

12 years ago
Summary: Some Unicode characters can generate bogius ASCII in domain names → Some Unicode characters can generate bogus ASCII in domain names
Component: Security → Networking
Product: Firefox → Core
Version: unspecified → Trunk
Assignee: nobody → darin
QA Contact: firefox → benc
Flags: blocking1.9a1?
Flags: blocking1.8b5?
Flags: blocking1.8.1?
Whiteboard: [sg:spoof]
This bug is about fixing the NAMEPREP/character-checking logic, not about fixing
the DNS lookup code (which is bug 304904 and friends), right? Given that we have
the check in the DNS lookup code, is there still a security issue here?

Gerv

Comment 3

12 years ago
dveditz, can you comment here? thanks.

Comment 4

12 years ago
we're wrapping up this release tonight and this isn't moving so it's probably
not going to make it. 
Flags: blocking1.8b5? → blocking1.8b5-
Whiteboard: [sg:spoof] → [sg:low IDN-spoof]
(In reply to comment #2)
> bug 304904 and friends) Given that we have
> the check in the DNS lookup code, is there still a security issue here?

Yes, because the actual 304904 checkin was too limited.
(Reporter)

Updated

12 years ago
Blocks: 316730
(Reporter)

Comment 6

12 years ago

*** This bug has been marked as a duplicate of 316444 ***
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:low IDN-spoof] → [sg:dupe 316444]
Flags: blocking1.9a1?
Group: security
You need to log in before you can comment on or make changes to this bug.