Closed
Bug 283016
Opened 20 years ago
Closed 19 years ago
Make it possible to blacklist characters in domain names
Categories
(Core :: Networking, defect, P1)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: masayuki, Assigned: masayuki)
References
()
Details
Attachments
(2 files, 12 obsolete files)
|
12.64 KB,
image/png
|
Details | |
|
6.58 KB,
patch
|
masayuki
:
review+
masayuki
:
superreview+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
screenshot
This is IDN problem.
You should look UTF-8 for this report.
The 'DIVISION SLASH'(U+2215) is similar SLASH("/").
If this is used in sub-domain, it is danger.
For example:
http://foo.com∕bar.com/
This domain is "foo.com∕bar.com", not "foo.com".
This problem is not related to domain registry.
Because it is sub-domain.
This problem is not reproduced latest builds. Because bug 282270 is fixed.
However, if we find another way for IDN problems, this problem should be considered.
|
Assignee | |
Comment 1•20 years ago
|
||
|
|
Assignee | |
Updated•20 years ago
|
Attachment #175007 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 2•20 years ago
|
||
|
|
Assignee | |
Comment 3•20 years ago
|
||
Sorry, the exapmle is wrong. For example: http://foo.com∕sub.bar.com/ This domain is "foo.com∕sub.bar.com", not "foo.com".
|
||
Comment 4•20 years ago
|
||
Thank you for pointing this out. We'll certainly take this into account in our IDN thinking. Gerv
|
||
Comment 5•20 years ago
|
||
clearing confidential flag: the IDN problems are public and keeping all the sub-problems in full view will only help in crafting solutions.
Blocks: punycode
Group: security
|
|
Assignee | |
Updated•19 years ago
|
Summary: IDN problem: using 'DIVISION SLASH'(U+2215) in sub-domain → IDN problem: using 'DIVISION SLASH'(U+2215) or 'FLACTION SLASH'(U+2044) in sub-domain
|
||
Comment 6•19 years ago
|
||
An IAB Working Group is working on Stringprep/Nameprep revisions that may be related to this: http://weblogs.mozillazine.org/gerv/archives/007785.html
Summary: IDN problem: using 'DIVISION SLASH'(U+2215) or 'FLACTION SLASH'(U+2044) in sub-domain → IDN problem: using 'DIVISION SLASH'(U+2215) or 'FRACTION SLASH'(U+2044) in sub-domain
|
|
Assignee | |
Comment 7•19 years ago
|
||
|
|
Assignee | |
Comment 8•19 years ago
|
||
This is security problem. We MUST fix before next release.
Flags: blocking1.8b3?
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta3
|
||
Comment 9•19 years ago
|
||
Comment on attachment 186812 [details] [diff] [review] Patch rv1.0 >Index: netwerk/dns/src/nsIDNService.cpp >+ return NS_OK; >+ } else > _retval.Append(decodedBuf); nit: You can always remove an 'else' after a 'return' If gerv is happy with this patch, then sr=darin
Attachment #186812 -
Flags: superreview+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #186812 -
Flags: review?(gerv)
|
|
Assignee | |
Comment 10•19 years ago
|
||
Oops... Thank you for your superreview!
Attachment #186812 -
Attachment is obsolete: true
Attachment #186828 -
Flags: superreview+
Attachment #186828 -
Flags: review?(gerv)
|
||
Comment 11•19 years ago
|
||
Comment on attachment 186828 [details] [diff] [review] Patch rv1.1 >+ NS_ConvertUTF8toUCS2 ustr(_retval); nit: pls, use NS_ConvertUTF8toUTF16
|
|
Assignee | |
Updated•19 years ago
|
Attachment #186828 -
Flags: review?(gerv)
|
|
Assignee | |
Comment 12•19 years ago
|
||
Attachment #186828 -
Attachment is obsolete: true
Attachment #186890 -
Flags: superreview+
Attachment #186890 -
Flags: review?(gerv)
|
|
||
Comment 13•19 years ago
|
||
Masayuki: these two characters are not the only ones we want to ban. Would it be possible for you to change the patch so that it looked for any character in a list, perhaps using a regular expression or similar? Ideally, the list would be kept in a pref, so we can do a simple security update if necessary (although I would hope it wouldn't be). Gerv
|
|
Assignee | |
Comment 14•19 years ago
|
||
Comment on attachment 186890 [details] [diff] [review] Patch rv1.2 O.K. Please wait.
Attachment #186890 -
Flags: review?(gerv) → review-
|
|
Assignee | |
Comment 15•19 years ago
|
||
|
|
Assignee | |
Updated•19 years ago
|
Attachment #186890 -
Attachment is obsolete: true
Attachment #187383 -
Flags: review?(gerv)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #187383 -
Attachment is obsolete: true
Attachment #187383 -
Flags: review?(gerv)
|
|
Assignee | |
Comment 16•19 years ago
|
||
Attachment #187384 -
Flags: review?(gerv)
|
||
Updated•19 years ago
|
Attachment #187384 -
Flags: review?(gerv) → review?(darin)
|
|
||
Updated•19 years ago
|
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking1.8b3-
|
|
Assignee | |
Updated•19 years ago
|
Attachment #187384 -
Flags: superreview?(darin)
|
|
||
Comment 17•19 years ago
|
||
Comment on attachment 187384 [details] [diff] [review] Patch rv2.0 >Index: netwerk/dns/src/nsIDNService.cpp >+ NS_ConvertUTF8toUTF16 uri(_retval); >+ for (PRInt32 i = 0; i < mIDNBlacklist->Length(); i++) { >+ PRUnichar blacklist_char[2] = {mIDNBlacklist->get()[i], 0x0}; >+ if (uri.Find(blacklist_char) != kNotFound) { >+ _retval.Assign(input); >+ break; >+ } I don't quite understand this. Why does blacklist_char have a null character appended before doing the search? Is this going to work for non-ASCII chars? Also, this algorithm takes n*m time, where n is the number of blacklist chars and m is the number of chars in the uri. Can we do better than that? Also, do you know how to encode such chars in the prefs file? Is it UTF-8? (This may not be your problem to solve; I'm just asking.) Gerv
|
|
Assignee | |
Comment 18•19 years ago
|
||
(In reply to comment #17) > I don't quite understand this. Why does blacklist_char have a null character > appended before doing the search? Is this going to work for non-ASCII chars? I think that we need null-terminated string for |nsAString.Find()|. So I append the null charcter everytime. > Also, this algorithm takes n*m time, where n is the number of blacklist chars > and m is the number of chars in the uri. Can we do better than that? I think that if the URI is valid, we need to check n*m time. > Also, do you know how to encode such chars in the prefs file? Is it UTF-8? > (This may not be your problem to solve; I'm just asking.) I wrote the all.js by UTF-8. It is same to "font.name-list.*".
|
|
||
Comment 19•19 years ago
|
||
Comment on attachment 187384 [details] [diff] [review] Patch rv2.0 OK - subject to darin's sr of the performance and algorithm, r=gerv. Gerv
Attachment #187384 -
Flags: review?(darin) → review+
|
|
||
Comment 20•19 years ago
|
||
Comment on attachment 187384 [details] [diff] [review] Patch rv2.0 >+ nsString* mIDNBlacklist; Heap allocating this string object doesn't make a lot of sense to me. It would be better to simply have a nsXPIDLString type as the member variable. Then you could read the pref directly into this value instead of copying it into a nsAutoString that you allocate on the heap. You can also use nsString::FindCharInSet to implement the search loop. That does what I think you want with very little code on your end.
Attachment #187384 -
Flags: superreview?(darin) → superreview-
|
|
Assignee | |
Comment 21•19 years ago
|
||
Attachment #187384 -
Attachment is obsolete: true
Attachment #188680 -
Flags: superreview?(darin)
Attachment #188680 -
Flags: review+
|
|
||
Comment 22•19 years ago
|
||
Comment on attachment 188680 [details] [diff] [review] Patch rv3.0 >Index: netwerk/dns/src/nsIDNService.cpp >+ NS_ConvertUTF8toUTF16 uri(_retval); >+ for (PRInt32 i = 0; i < mIDNBlacklist.Length(); i++) { >+ PRUnichar blacklist_char[2] = {mIDNBlacklist.get()[i], 0x0}; >+ if (uri.FindCharInSet(blacklist_char) != kNotFound) { >+ _retval.Assign(input); >+ break; >+ } > } > > return NS_OK; > } Why not change this code to be like so: NS_ConvertUTF8toUTF16 temp(_retval); if (temp.FindCharInSet(mIDNBlacklist) != kNotFound) _retval.Assign(input); return NS_OK; Also, it seems like you could move this check into the decodeACE function. That function already does some other runtime checking to ensure that the ACE string is well formed by converting the UTF-8 value back to ACE to ensure that the same result is yielded. Adding this blacklist to that function would make sense as an additional sanity check. The code that calls decodeACE already behaves properly if decodeACE fails, so I think you should add your code there. Then you will avoid additional conversions. Sorry for not noticing this earlier.
Attachment #188680 -
Flags: superreview?(darin) → superreview-
|
|
Assignee | |
Comment 23•19 years ago
|
||
> Why not change this code to be like so: Sorry. I couldn't understand |FindCharInSet|'s functional. > Also, it seems like you could move this check into the decodeACE > function. I don't think so. |decodeACE| is calling |ConvertUTF8toACE|, it is not calling |ConvertACEtoUTF8|. |ConvertACEtoUTF8| is called from other classes. So it is public member. I think that my check is always run for security. Therefore, we should make to fail |ConvertACEtoUTF8|.
|
|
Assignee | |
Updated•19 years ago
|
Attachment #188680 -
Attachment is obsolete: true
Attachment #188682 -
Flags: superreview?(darin)
Attachment #188682 -
Flags: review+
|
|
||
Comment 24•19 years ago
|
||
ConvertACEtoUTF8 calls decodeACE, and ConvertACEtoUTF8 is the only caller of decodeACE. Therefore, you should be able to move your check into decodeACE. When would this not work?
|
|
Assignee | |
Comment 25•19 years ago
|
||
Comment on attachment 188682 [details] [diff] [review] Patch rv3.1 > ConvertACEtoUTF8 *calls* decodeACE Oh, I understand! Please wait.
Attachment #188682 -
Flags: superreview?(darin) → superreview-
|
|
Assignee | |
Comment 26•19 years ago
|
||
Attachment #188682 -
Attachment is obsolete: true
Attachment #188700 -
Flags: superreview?(darin)
Attachment #188700 -
Flags: review+
|
|
||
Comment 27•19 years ago
|
||
Comment on attachment 188700 [details] [diff] [review] Patch rv3.2 Yup, sr=darin
Attachment #188700 -
Flags: superreview?(darin) → superreview+
|
|
Assignee | |
Comment 28•19 years ago
|
||
Comment on attachment 188700 [details] [diff] [review] Patch rv3.2 The risk is low. But this is security problem (So, this is important).
Attachment #188700 -
Flags: approval1.8b4?
|
|
||
Comment 29•19 years ago
|
||
This patch doesn't seem to work for me. - I downloaded it, applied it to my Firefox tree, and rebuilt with make -f client.mk build - I set "network.IDN.whitelist.com" to true. - I visited http://www.shmoo.com/idn/ and tested that IDN display worked on the first link. - I then set network.IDN.blacklist_chars to oоgr (as in, a mid substring of the spoofing URL listed on that page), and re-visited the link. It still worked. I restarted my browser, but the result was the same. Have I misunderstood? If not, what's wrong? Gerv
|
|
Assignee | |
Comment 30•19 years ago
|
||
I can reproduce too. But if following URI, it works fine. http://bugbug.cocolog-nifty.xn--cominfo-ef0d.nekodama.com/icons/nekodama64b.gif If the URI is written by Unicode text, Isn't |decodeACE| called?
|
|
Assignee | |
Comment 31•19 years ago
|
||
test. http://bugbug.cocolog-nifty.com∕info.nekodama.com/icons/nekodama64b.gif
|
|
Assignee | |
Comment 32•19 years ago
|
||
Sorry, re-test. http://bugbug.cocolog-nifty.com∕info.nekodama.com/icons/nekodama64b.gif
|
|
Assignee | |
Comment 33•19 years ago
|
||
Umm.. Comment 30 works fine, bug Comment 32 doesn't so.
|
|
Assignee | |
Updated•19 years ago
|
Attachment #188700 -
Flags: approval1.8b4?
|
|
Assignee | |
Updated•19 years ago
|
Attachment #188700 -
Flags: review+ → review-
|
|
||
Comment 34•19 years ago
|
||
I get the same results. Masayuki: can you investigate what is going on here? Gerv
|
|
Assignee | |
Comment 35•19 years ago
|
||
Attachment #189070 -
Flags: superreview?(darin)
Attachment #189070 -
Flags: review?(gerv)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #188700 -
Attachment is obsolete: true
|
|
||
Comment 36•19 years ago
|
||
Comment on attachment 189070 [details] [diff] [review] Patch rv4.0 >+PRBool nsIDNService::isValid(const nsAString& in) >+{ >+ return (mIDNBlacklist.IsEmpty() || >+ nsString(in).FindCharInSet(mIDNBlacklist) == kNotFound); You can make it inline (static). Also, you can avoid |nsString(in) by using |nsAFlatString| instead of |nsAString| because all callers pass |nsAutoString|.
|
|
Assignee | |
Updated•19 years ago
|
Attachment #189070 -
Flags: superreview?(darin)
Attachment #189070 -
Flags: review?(gerv)
Attachment #189070 -
Flags: review-
|
|
Assignee | |
Comment 37•19 years ago
|
||
Attachment #189070 -
Attachment is obsolete: true
Attachment #189179 -
Flags: superreview?(darin)
Attachment #189179 -
Flags: review?(gerv)
|
|
||
Comment 38•19 years ago
|
||
Comment on attachment 189179 [details] [diff] [review] Patch rv4.1 My only comment is that "isValid()" is the wrong name for the function - it's too generic. It really should be something like isOnlySafeChars(). With that change (or a similar, better name), r=gerv. Gerv
Attachment #189179 -
Flags: review?(gerv) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #189179 -
Flags: superreview?(darin)
|
|
Assignee | |
Comment 39•19 years ago
|
||
Attachment #189179 -
Attachment is obsolete: true
Attachment #189315 -
Flags: superreview?(darin)
Attachment #189315 -
Flags: review+
|
|
Assignee | |
Updated•19 years ago
|
Target Milestone: mozilla1.8beta3 → mozilla1.8beta4
|
|
Assignee | |
Comment 40•19 years ago
|
||
Darin: Please re-superreview it.
|
|
||
Comment 41•19 years ago
|
||
Comment on attachment 189315 [details] [diff] [review] Patch rv4.2 >Index: netwerk/dns/src/nsIDNService.cpp >+ if (NS_FAILED(rv)) >+ return rv; >+ >+ nsCAutoString utf8; >+ CopyUTF16toUTF8(outUTF16, utf8); >+ >+ if (!isOnlySafeChars(outUTF16, mIDNBlacklist)) >+ return ConvertUTF8toACE(utf8, output); >+ output.Assign(utf8); >+ >+ return NS_OK; > } This code is not very efficient in the case where the string contains safe chars. I think you should optimize for that case. Ideally, we'd have an internal version of ConvertUTF8toACE called ConvertUTF16toACE since we are working with UTF16 here, and ConvertUTF8toACE first converts its input from UTF8 to UTF16. But, even without making that change you can improve things: CopyUTF16toUTF8(outUTF16, output); if (!isOnlySafeChars(outUTF16, mIDNBlacklist)) return ConvertUTF8toACE(output, output); return NS_OK; This works because of the fact that ConvertUTF8toACE first converts its input argument to UTF16, so there is no problem using |output| as both arguments to the function ;-) sr=darin with that change
Attachment #189315 -
Flags: superreview?(darin) → superreview+
|
|
Assignee | |
Comment 42•19 years ago
|
||
The risk is low. But this is security problem. We should fix this.
Attachment #189315 -
Attachment is obsolete: true
Attachment #190045 -
Flags: superreview+
Attachment #190045 -
Flags: review+
Attachment #190045 -
Flags: approval1.8b4?
|
|
||
Comment 43•19 years ago
|
||
So the next thing we need is an initial list of blacklisted characters. masayuki: as soon as this is checked in, please open a new bug and attach a patch creating a blacklist from 'DIVISION SLASH'(U+2215) and 'FRACTION SLASH'(U+2044). Apply for sr= from darin, and mark it as "approval1.8b4?". Do you have checkin privileges? Gerv
Summary: IDN problem: using 'DIVISION SLASH'(U+2215) or 'FRACTION SLASH'(U+2044) in sub-domain → Make it possible to blacklist characters in domain names
|
|
Assignee | |
Comment 44•19 years ago
|
||
(In reply to comment #43) > masayuki: as soon as this is checked in, please open a new bug and attach a > patch creating a blacklist from 'DIVISION SLASH'(U+2215) and 'FRACTION > SLASH'(U+2044). Apply for sr= from darin, and mark it as "approval1.8b4?". Oh, sorry. I forgot the blacklist after Patch rv3.2. I will do it, thanks. > Do you have checkin privileges? Yes.
|
|
Assignee | |
Comment 45•19 years ago
|
||
I opened bug 301694.
|
|
||
Updated•19 years ago
|
Attachment #190045 -
Flags: approval1.8b4? → approval1.8b4+
|
|
Assignee | |
Comment 46•19 years ago
|
||
checked-in. Thanks.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•