Closed
Bug 310734
Opened 19 years ago
Closed 19 years ago
DNS label bad char test must occur after, not before, NAMEPREP
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 316444
People
(Reporter: usenet, Assigned: darin.moz)
References
(Blocks 1 open bug)
Details
(Whiteboard: [sg:dupe 316444])
A large number of Unicode characters are normalized by NAMEPREP to strings which include ASCII punctuation characters. These characters, which would otherwise get caught during parsing, are effectively "smuggled" through the DNS validation process. This allows both spoofing in URLs, and potentially attacks on other protocols (consider the Host: field in HTTP headers, or sending URLs such as mailto: URLs to other apps). To fix this, domain name labels need to be checked for ASCII punctuation characters after NAMEPREP, rather than before. This also has the advantage that the Unicode blacklist for visual spoof characters can be reduced to a reasonable length. To catch all these characters at the Unicode-display blacklist level would require an impracticably long blacklist to be generated: checking after NAMEPREP will catch nearly all of these, leaving only a much smaller number of characters to be blacklisted manually.
Reporter | ||
Comment 1•19 years ago
|
||
I filed this bug as a blocker for bug 309311 because it is unclear from the comments, and the very complex code, whether the fix for Bug 304904 already fulfils this, which is necessary: 1) to ensure that the blocklist in Bug 309311 does not need to become enormous - otherwise that blocklist will have to be expanded from an already unwieldy 88 characters to hundreds. 2) to simplify maintaining the blacklist, which is complex enough already, and will need to be expanded periodically as new homographs or Unicode rendering attacks emerge and 3) because checking after NAMEPREP is the Obvious Right Thing to do from a security point of view.
Assignee: nobody → darin
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → benc
Version: unspecified → Trunk
Comment 2•19 years ago
|
||
note http://lxr.mozilla.org/seamonkey/source/netwerk/dns/src/nsHostResolver.cpp#387 so is this bug just about expanding the checks done in net_IsValidHostName?
Comment 3•19 years ago
|
||
(In reply to comment #1) > 1) to ensure that the blocklist in Bug 309311 does not need to become enormous I can't access bug 309311 so that I'm adding comment here (hmm, I thought I accessed that bug before). As biesi mentioned once sometime ago, we can deal with a huge list rather effectively either using a(n) (now disabled) API in intl or using a compressed charmap if we absolutely have to. Needless to say, if we can avoid that by doing what's suggested here, that's better.
Updated•19 years ago
|
Whiteboard: [sg:low spoof]
Comment 4•19 years ago
|
||
jshin: you should be able to see bug 309311; you are CCed on it... Gerv
Assignee | ||
Comment 5•19 years ago
|
||
I like the idea of extending net_IsValidHostName.
Reporter | ||
Comment 6•19 years ago
|
||
*** This bug has been marked as a duplicate of 316444 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•18 years ago
|
Whiteboard: [sg:low spoof] → [sg:dupe 316444]
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•