Issue metadata
Sign in to add a comment
|
Security: Address bar RTL character spoofing on Mac |
||||||||||||||||||||||
Issue descriptionSpinning off from Issue 609680 . The same vulnerability exists on Mac. VULNERABILITY DETAILS Visit: http://127.0.0.1/%D8%A7/example.org It is rendered as: example.org/ا/127.0.0.1 This is a spoofing vulnerability because it looks like you are on example.org. The RTL character U+FE70 ARABIC FATHATAN ISOLATED FORM combined with numerical IP address causes the Omnibox text to be treated as an RTL paragraph. VERSION (I tested it awhile ago, not sure of the exact version. Will re-verify but I think it's going to affect all versions of Chrome and Mac OS.) REPRODUCTION CASE See above.
,
Jun 29 2016
,
Jul 6 2016
+rbsoulhunter who previously reported this vulnerability and has been in contact with me about it.
,
Jul 7 2016
Some stuff I learned about Cocoa (for my reference): - NSTextField is an NSControl. - NSControl has a currentEditor property that is an NSTextView (for some reason it returns an NSText but can be cast to NSTextView). - NSTextView has a textStorage property that is an NSTextStorage. - NSTextStorage is an NSMutableAttributedString. - NSMutableAttributedString has a setBaseWritingDirection method that *might* be helpful. This is nuts. WIP CL (not compiled; having trouble building on Mac right now): https://codereview.chromium.org/2126023003 Not a Mac developer at all, #ihavenoideawhatimdoing.
,
Jul 13 2016
,
Jul 16 2016
I would appreciate, if someone can look into this too, I am holding my writeup.
,
Jul 21 2016
Not sure why Bugdroid hasn't posted here, but the fix landed: https://codereview.chromium.org/2126023003 Committed: https://crrev.com/05baf795316dd430afbd79ee915187bec6bf5f5d Cr-Commit-Position: refs/heads/master@{#406791}
,
Jul 21 2016
,
Jul 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/05baf795316dd430afbd79ee915187bec6bf5f5d commit 05baf795316dd430afbd79ee915187bec6bf5f5d Author: mgiuca <mgiuca@chromium.org> Date: Thu Jul 21 07:06:50 2016 Mac (Cocoa) Omnibox: Force text field to LTR context if it is a URL. This means that URLs will be displayed in a left-to-right paragraph context. Right-to-left runs are still rendered RTL, but will not flip the whole URL around. For example (if "ABC" is Hebrew), this will render "ABC.com" as "CBA.com", rather than "com.CBA". Affects main text field and suggestions, but not non-URL search text. Complies with RFC 3987 Section 4.1 and brings the Mac Omnibox in line with the existing behaviour on Views and Android. BUG= 624213 Review-Url: https://codereview.chromium.org/2126023003 Cr-Commit-Position: refs/heads/master@{#406791} [modify] https://crrev.com/05baf795316dd430afbd79ee915187bec6bf5f5d/chrome/browser/ui/cocoa/omnibox/omnibox_popup_cell.mm [modify] https://crrev.com/05baf795316dd430afbd79ee915187bec6bf5f5d/chrome/browser/ui/cocoa/omnibox/omnibox_view_mac.mm
,
Jul 26 2016
Requesting a merge to M53. (Security, long-standing issue so not strictly urgent, but good to fix ASAP.)
,
Jul 26 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6ba00cae40b82241c6416e7d24c4d7aca7a227c6 commit 6ba00cae40b82241c6416e7d24c4d7aca7a227c6 Author: Matt Giuca <mgiuca@chromium.org> Date: Tue Jul 26 03:24:27 2016 Mac (Cocoa) Omnibox: Force text field to LTR context if it is a URL. This means that URLs will be displayed in a left-to-right paragraph context. Right-to-left runs are still rendered RTL, but will not flip the whole URL around. For example (if "ABC" is Hebrew), this will render "ABC.com" as "CBA.com", rather than "com.CBA". Affects main text field and suggestions, but not non-URL search text. Complies with RFC 3987 Section 4.1 and brings the Mac Omnibox in line with the existing behaviour on Views and Android. BUG= 624213 Review-Url: https://codereview.chromium.org/2126023003 Cr-Commit-Position: refs/heads/master@{#406791} (cherry picked from commit 05baf795316dd430afbd79ee915187bec6bf5f5d) Review URL: https://codereview.chromium.org/2183723002 . Cr-Commit-Position: refs/branch-heads/2785@{#353} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/6ba00cae40b82241c6416e7d24c4d7aca7a227c6/chrome/browser/ui/cocoa/omnibox/omnibox_popup_cell.mm [modify] https://crrev.com/6ba00cae40b82241c6416e7d24c4d7aca7a227c6/chrome/browser/ui/cocoa/omnibox/omnibox_view_mac.mm
,
Aug 10 2016
,
Aug 10 2016
,
Sep 14 2016
,
Oct 27 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Jun 29 2016