Closed
Bug 406322
(BIDI-in-Statusbar)
Opened 17 years ago
Closed 17 years ago
MUST remove bidi-marks before displaying url in the status bar
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 388372
People
(Reporter: zwnj, Unassigned)
Details
(Keywords: intl, Whiteboard: [sg:dupe 388372])
Attachments
(2 files)
How to reproduce: * network.IDN.whitelist.xn--mgba3a4f16a = true * make sure network.IDN.whitelist.xn--hgbk6aj7f53bba = true * open the attachment and hover 3rd and 4th links * open both links in new tab As you can see, not removing bidi-marks (even in paths, link samples 2 and 4) allows changing how the URL looks like in the status-bar, and allows faking sites. Here are the translation of links: 1. http://EXAMPLE.TEXT/EXAMPLE.IRAN 2. http://EXAMPLE.IRAN/EXAMPLE.TEXT 3. http://EXAMPLE.TEXT/EXAMPLE.IRAN 4. http://EXAMPLE.IRAN/EXAMPLE.TEXT Text of all links are EXAMPLE.IRAN, which because of another (yet open) bug you see punycode of the first two, but unicode of the second ones, which is the security issue here. As fx2.0 always displays the punycode in the status-bar (right?), it doesn't have any security problem, but it's better to fix it too.
Flags: blocking1.9?
Reporter | ||
Comment 1•17 years ago
|
||
(In reply to comment #0) > 1. http://EXAMPLE.TEXT/EXAMPLE.IRAN > 2. http://EXAMPLE.IRAN/EXAMPLE.TEXT > 3. http://EXAMPLE.TEXT/EXAMPLE.IRAN > 4. http://EXAMPLE.IRAN/EXAMPLE.TEXT s/TEXT/TEST/
Reporter | ||
Comment 2•17 years ago
|
||
As you can see in this english example, i can fake mozilla.org in status-bar and even in address-bar! Maybe this case is not a security issue as i cannot do config needed the DNS, but the previous one, which doesn't have any bidi-mark in the host part is.
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Updated•17 years ago
|
Whiteboard: [sg:dupe 388372]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•