Closed Bug 315411 Opened 19 years ago Closed 19 years ago

fail to check the IDN is in whitelist with un-normalized URL

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: masayuki, Assigned: darin.moz)

References

Details

(4 keywords, Whiteboard: [sg:low] spoofing, requires user to type or paste URL [rft-dl])

Attachments

(2 files, 3 obsolete files)

Patch rv1.2
2.39 KB, patch
jshin1987
: review+
darin.moz
: approval-branch-1.8.1+
dveditz
: approval1.8.0.1-
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review
testcase 2
1.29 KB, text/html
Details
if user inputs un-normalized URL in URL bar, we always fail to check the IDN is in whitelist or not so. Becuase we are checking un-normalized host.
Attached patch Patch rv1.0 (obsolete) — Splinter Review
Attachment #202111 - Flags: superreview?(darin)
Attachment #202111 - Flags: review?(darin)
Status: NEW → ASSIGNED
Sorry, it cannot repro. Please use this instead. http://日本語。JP/
This can be reproduced when I hover the mouse cursor on comment 3's link. In this time, the status bar shows punycode URL.
So, this allows our IDN whitelist to be defeated, which seems pretty bad. Should this block the FF 1.5 release?
Flags: blocking1.8rc2?
Attached patch Patch rv1.1 (obsolete) — Splinter Review
Here's a slightly revised version of the patch. The main problem with the v1.0 patch was that it was passing |result| as both an in-param as well as an out-param to ConvertUTF8toACE. That could cause a problem in the future if ConvertUTF8toACE ever modified it's out-param before reading from the in-param, so I fixed the code to use a temporary string object. I also added a few more comments.
Assignee: masayuki → darin
Attachment #202111 - Attachment is obsolete: true
Attachment #202136 - Flags: superreview+
Attachment #202136 - Flags: review?
Attachment #202111 - Flags: superreview?(darin)
Attachment #202111 - Flags: review?(darin)
Attachment #202136 - Flags: review? → review?(jshin1987)
Target Milestone: mozilla1.9alpha → mozilla1.8rc1
thanks, Darin.
Comment on attachment 202136 [details] [diff] [review] Patch rv1.1 I think this patch is not good. It introduces cases where .com domain names are displayed as unicode and sent to the DNS resolver as punycode. See bug 315440.
Attachment #202136 - Attachment is obsolete: true
Attachment #202136 - Flags: review?(jshin1987)
Depends on: 315440
Attached patch Patch rv1.2Splinter Review
OK, here's a revised patch. I am falling back on ConvertUTF8toACE when Normalize fails. This seems to address the problems that I found with malformed bidi text in bug 315440. Masayuki: Can you please verify that this patch works as you expect. Thanks.
Attachment #202187 - Flags: superreview?(dveditz)
Attachment #202187 - Flags: review?(jshin1987)
This patch works fine for this patch. But http://www.%E3%83%8F%E3%83%B3%E3%83%89%E3%83%9C%E3%83%BC%E3%83%AB%E3%82%B5%E3%83%A0%E3%82%BA.com is displaied UTF-8 URL on statusbar.
> This patch works fine for this patch. for this *bug*.
Is the seriousness of this bug mitigated somewhat by the fact that this is only a problem with urls the user enters by hand (as opposed to URLS the user clicks on from a web page and URLs that come from other applications (like mail)?
Comment on attachment 202187 [details] [diff] [review] Patch rv1.2 r=jshin
Attachment #202187 - Flags: review?(jshin1987) → review+
(In reply to comment #12) > Is the seriousness of this bug mitigated somewhat by the fact that this is only > a problem with urls the user enters by hand (as opposed to URLS the user clicks > on from a web page and URLs that come from other applications (like mail)? > On thunderbird, if a text mail has IDN URL in its content, thunderbird makes link the URL. But the URL cannot be opened on Firefox by clicking the URL. Maybe, it's another bug. # I think that the bug is same the bug of comment 10.
> # I think that the bug is same the bug of comment 10. Yeah, the URL with %-escaped characters in the hostname cannot be loaded because Mozilla does not unescape the hostname portion of a URL.
my question wasn't about thunderbird at all. I was trying to ask if the bypassing of our IDN whitelist check is only happening for URLs a user manually types into the urlbar vs. urls clicked on from a web page or urls we are given by the OS as a result of a user clicking on urls from other applications (like mail, IM, etc).
(In reply to comment #16) > my question wasn't about thunderbird at all. I was trying to ask if the > bypassing of our IDN whitelist check is only happening for URLs a user manually > types into the urlbar vs. urls clicked on from a web page or urls we are given > by the OS as a result of a user clicking on urls from other applications (like > mail, IM, etc). mscott: I think that it is possible for any website to give the user links that contain un-normalized unicode characters in the hostname. That means that, yes, our whitelist is *completely defeated* by this bug. So, I think this is a serious bug that needs to block the 1.5 release.
Severity: minor → blocker
Masayuki: Can you please confirm that this bug could be triggered by web content as well?
Attached file testcase (obsolete) —
This bug can be reproduced by the links on web page.
The subject implies that this bug effects urls typed into the url bar by the user only. We should clarify the summary if that's not the case Masayuki.
Attached file testcase 2
another tests added.
Attachment #202278 - Attachment is obsolete: true
OK, I confused myself. Comment #17 is wrong. Without this patch, the only harm is that we will show punycode when we could safely show unicode to the user. Therefore, this is really just a minor bug that websites can workaround. I don't think we need to block FF 1.5 for this. Sorry for the false alarm!
Severity: blocker → minor
Flags: blocking1.8rc2?
Target Milestone: mozilla1.8rc1 → mozilla1.9alpha
Attachment #202187 - Flags: superreview?(dveditz)
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Keywords: testcase
Summary: fail to check the IDN is in whitelist if user inputs un-normalized URL in URL bar → fail to check the IDN is in whitelist with un-normalized URL
This bug was reported first by .jp registry to Mozilla Japan. IDN whitelist is a much-anticipated new feature and they hope the problem is fixed in Firefox 1.5, of course. Mozilla Japan also request blocking.
Flags: blocking1.8rc2?
because this is a case of us being over zealous as opposed to the white list being bypassed to show things in unicode that should be show in punycode, we aren't going to respin and slip the release for this fix. Let's look into getting it into the next follow up release.
Flags: blocking1.8rc2? → blocking1.8rc2-
ugh. we'll escalate the issue to MoCo through official channels...
Let's go to next minor release. This bug was reported by JPRS.
Flags: blocking1.8.1?
(In reply to comment #20) > The subject implies that this bug effects urls typed into the url bar by the > user only. We should clarify the summary if that's not the case Masayuki. > Oops. Sorry. The old summary is wrong. This is reproduced by the link of web contents too. But this is not a security bug. I think that we should go to 1.8.1, this bug and bug 315666.
Severity: minor → normal
Flags: blocking1.8.0.1?
Whiteboard: [sg:low] spoofing, requires user to type or paste URL
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
Comment on attachment 202187 [details] [diff] [review] Patch rv1.2 This is minor problem. But the patch doesn't have regression report. And this bug is reported by JPRS.
Attachment #202187 - Flags: approval1.8.1?
Attachment #202187 - Flags: approval1.8.0.1?
Flags: blocking1.8.0.2?
Comment on attachment 202187 [details] [diff] [review] Patch rv1.2 Not for 1.8.0.1 (candidates in hand).
Attachment #202187 - Flags: approval1.8.0.2?
Attachment #202187 - Flags: approval1.8.0.1?
Attachment #202187 - Flags: approval1.8.0.1-
Attachment #202187 - Flags: branch-1.8.1?(darin)
Attachment #202187 - Flags: approval1.8.1?
Attachment #202187 - Flags: branch-1.8.1?(darin) → branch-1.8.1+
Keywords: fixed1.8.1
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Comment on attachment 202187 [details] [diff] [review] Patch rv1.2 approving for 1.8.0 branch, a=dveditz for drivers
Attachment #202187 - Flags: approval1.8.0.2? → approval1.8.0.2+
-> v.(trunk and 1.8 branch)
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1
Whiteboard: [sg:low] spoofing, requires user to type or paste URL → [sg:low] spoofing, requires user to type or paste URL [rft-dl]
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2, links in testcase 2 work as expected.
Keywords: fixed1.8.0.2verified1.8.0.2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: