Bug 406322 (BIDI-in-Statusbar)

MUST remove bidi-marks before displaying url in the status bar

RESOLVED DUPLICATE of bug 388372

Status

()

Core
Networking
--
major
RESOLVED DUPLICATE of bug 388372
11 years ago
6 years ago

People

(Reporter: zwnj, Unassigned)

Tracking

({intl})

Trunk
x86
Linux
Points:
---
Bug Flags:
blocking1.9 ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 388372])

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Created attachment 290987 [details]
A page that fakes link to EXAMPLE.IRAN as a link to EXAMPLE.TEST

How to reproduce:
* network.IDN.whitelist.xn--mgba3a4f16a = true
* make sure network.IDN.whitelist.xn--hgbk6aj7f53bba = true
* open the attachment and hover 3rd and 4th links
* open both links in new tab

As you can see, not removing bidi-marks (even in paths, link samples 2 and 4) allows changing how the URL looks like in the status-bar, and allows faking sites.

Here are the translation of links:
1. http://EXAMPLE.TEXT/EXAMPLE.IRAN
2. http://EXAMPLE.IRAN/EXAMPLE.TEXT
3. http://EXAMPLE.TEXT/EXAMPLE.IRAN
4. http://EXAMPLE.IRAN/EXAMPLE.TEXT

Text of all links are EXAMPLE.IRAN, which because of another (yet open) bug you see punycode of the first two, but unicode of the second ones, which is the security issue here.

As fx2.0 always displays the punycode in the status-bar (right?), it doesn't have any security problem, but it's better to fix it too.
Flags: blocking1.9?
(Reporter)

Comment 2

11 years ago
Created attachment 290988 [details]
A page that fakes link to zwnj.org as a link to mozilla.org

As you can see in this english example, i can fake mozilla.org in status-bar and even in address-bar!

Maybe this case is not a security issue as i cannot do config needed the DNS, but the previous one, which doesn't have any bidi-mark in the host part is.

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 388372
Whiteboard: [sg:dupe 388372]
Group: core-security
You need to log in before you can comment on or make changes to this bug.