Closed Bug 310734 Opened 19 years ago Closed 19 years ago

DNS label bad char test must occur after, not before, NAMEPREP

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 316444

People

(Reporter: usenet, Assigned: darin.moz)

References

(Blocks 1 open bug)

Details

(Whiteboard: [sg:dupe 316444]) 

A large number of Unicode characters are normalized by NAMEPREP to strings which
include ASCII punctuation characters. These characters, which would otherwise
get caught during parsing, are effectively "smuggled" through the DNS validation
process.  This allows both spoofing in URLs, and potentially attacks on other
protocols (consider the Host: field in HTTP headers, or sending URLs such as
mailto: URLs to other apps).

To fix this, domain name labels need to be checked for ASCII punctuation
characters after NAMEPREP, rather than before. 

This also has the advantage that the Unicode blacklist for visual spoof
characters can be reduced to a reasonable length. To catch all these characters
at the Unicode-display blacklist level would require an impracticably long
blacklist to be generated: checking after NAMEPREP will catch nearly all of
these, leaving only a much smaller number of characters to be blacklisted manually.
Blocks: 309311
I filed this bug as a blocker for bug 309311 because it is unclear from the
comments, and the very complex code, whether the fix for Bug 304904 already
fulfils this, which is necessary:

1) to ensure that the blocklist in Bug 309311 does not need to become enormous -
otherwise that blocklist will have to be expanded from an already unwieldy 88
characters to hundreds.

2) to simplify maintaining the blacklist, which is complex enough already, and
will need to be expanded periodically as new homographs or Unicode rendering
attacks emerge  

and 

3) because checking after NAMEPREP is the Obvious Right Thing to do from a
security point of view.
Assignee: nobody → darin
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → benc
Version: unspecified → Trunk
note http://lxr.mozilla.org/seamonkey/source/netwerk/dns/src/nsHostResolver.cpp#387

so is this bug just about expanding the checks done in net_IsValidHostName?


(In reply to comment #1)

> 1) to ensure that the blocklist in Bug 309311 does not need to become enormous 

I can't access bug 309311 so that I'm adding comment here (hmm, I thought I
accessed that bug before). As biesi mentioned once sometime ago, we can deal
with a huge list rather effectively either using a(n) (now disabled) API in intl
or using a compressed charmap if we absolutely have to. Needless to say, if we
can avoid that by doing what's suggested here, that's better.
Whiteboard: [sg:low spoof]
jshin: you should be able to see bug 309311; you are CCed on it...

Gerv
I like the idea of extending net_IsValidHostName.
Blocks: 316730

*** This bug has been marked as a duplicate of 316444 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:low spoof] → [sg:dupe 316444]
Group: security
You need to log in before you can comment on or make changes to this bug.