New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 624214 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Address bar RTL character spoofing on iOS

Project Member Reported by mgiuca@chromium.org, Jun 29 2016

Issue description

Spinning off from  Issue 609680 . The same vulnerability exists on iOS.

VULNERABILITY DETAILS
Visit:
http://127.0.0.1/%D8%A7/example.org

It is rendered as:
example.org/‭ا‬/127.0.0.1

This is a spoofing vulnerability because it looks like you are on example.org.

The RTL character U+FE70 ARABIC FATHATAN ISOLATED FORM combined with numerical IP address causes the Omnibox text to be treated as an RTL paragraph.

Note: Reported by rbsoulhunter in  https://crbug.com/609680#c13  (I haven't personally verified). (Not eligible for an additional bounty as it's the same root bug as the previously reported Android bug.)

VERSION
Chrome Version: 50.0.2661.95
Operating System: iOS

REPRODUCTION CASE
See above.

 

Comment 1 by palmer@chromium.org, Jun 29 2016

Cc: rohitrao@chromium.org
Labels: Security_Severity-Medium Security_Impact-Stable M-53
Status: Assigned (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 29 2016

Labels: -Pri-2 Pri-1
Verified in 51.0.2704.104.
Cc: justincohen@chromium.org
Cc: rbsoulhu...@gmail.com mgiuca@chromium.org
Owner: ----
Status: Available (was: Assigned)
I am de-assigning myself and going to try to find someone on iOS team who can fix it (since I am completely unfamiliar with iOS development).

The fix should be straightforward: the Omnibox's text paragraph direction needs to be set to LTR (not default) when it contains a URL. This is a bit tricky because we also allow search terms to be entered, which should be rendered with the default paragraph direction. On Android, we just made it LTR when not focused, default/auto when focused.

See the Android fix: https://codereview.chromium.org/1988553002.

+rbsoulhunter who previously reported this vulnerability and has been in contact with me about it.
Cc: srikanthg@chromium.org
Labels: -M-53 ReleaseBlock-Stable M-54
Owner: justincohen@chromium.org
Status: Assigned (was: Available)
Labels: reward-topanel
Adding reward-topanel since this seems like a distinct issue.
If I set the text field alignment to NSTextAlignment I still see this bug:

https://screenshot.googleplex.com/Wa3vEP3WOM0

(lldb) expr [(UITextField*)0x7f893301be00 textAlignment]
(NSTextAlignment) $6 = NSTextAlignmentLeft


Labels: Needs-Feedback
mgiuca@: Do you have an iOS sample that fixes this?
> If I set the text field alignment to NSTextAlignment I still see this bug:

This isn't an alignment issue, it's a paragraph direction issue. You have to set the paragraph direction to LTR.

Having said that, I tried doing a similar thing on Mac:
https://codereview.chromium.org/2126023003

and it had no effect. Possibly you'll run into the same problem on iOS.

> https://screenshot.googleplex.com/Wa3vEP3WOM0

Please attach screenshots to bugs, rather than linking to internal URLs.

> mgiuca@: Do you have an iOS sample that fixes this?

What do you mean an iOS sample? Do you mean a patch? No, I don't know anything about iOS (and I thought Rohit was looking at this).
Setting the paragraph direction doesn't work either.  

The only thing I could get to work was this: 
[mutableText insertAttributedString:
    [[NSAttributedString alloc] initWithString:@"\u200E"] atIndex:0];

But I don't know if this is a terrible idea or not:
https://chromereviews.googleplex.com/471117013/
I am not familiar with iOS, however after analyzing what you have done above, i think this might solve the issue. 

What you have done here is Forced LTR (left-to-right) by prepending the text with the "left-to-right mark" ((U+200E).

[mutableText insertAttributedString:
    [[NSAttributedString alloc] initWithString:@"\u200E"] atIndex:0];

I commented on the CL. It's *kinda* a bad idea (just because it physically modifies the text string that the user is also able to select, copy and modify). You can do it that way but care is required.

Any ideas why forcing paragraph direction doesn't work?
Status: Started (was: Assigned)
Looks like we were stomping on the paragraph direction override.  https://chromereviews.googleplex.com/471117013/ works
Project Member

Comment 16 by bugdroid1@chromium.org, Jul 20 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/ios_internal.git/+/412ae8ee57897c11dab0a7b233884113cd5d70b0

commit 412ae8ee57897c11dab0a7b233884113cd5d70b0
Author: justincohen <justincohen@google.com>
Date: Wed Jul 20 23:19:44 2016

Cc: cma...@chromium.org
Status: Fixed (was: Started)
cmasso@ / srikanthg@ Can we do a quick look over RTL / omnibox functionality with this change?
I will take a look today and test around omnibox.
Tab tile is not updated correctly.
https://drive.google.com/a/google.com/file/d/0B-xmXLQhjeKua0NiVDFqS0hfQk0/view

Can you take a look if that needs to be fixed as well?
Project Member

Comment 19 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
mgiuca@ do the same thing for tab title on iOS/Mac as well?
I wouldn't do this for tab titles, because those can be arbitrary text, and they're not intended to be any sort of security indicator.
#18 Good point but outside the scope of this bug (as Rohit says, those are not security indicators).

And we can't fix it in the rendering layer because as Rohit says, those can be arbitrary text. However, we can still address this at the place where the default title is created from a URL. I filed  Issue 630481 .
Labels: -M-54 Merge-Request-53 M-53
I've decided to request a merge on  Issue 624214  (Mac bug), and I think it's probably best to do the same here (if the code change is minimal). Good to have this bug fixed on Android, Mac and iOS in the same cycle.

Comment 24 by dimu@chromium.org, Jul 26 2016

Labels: -Merge-Request-53 Merge-Approved-53 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M53 (branch: 2785)
Project Member

Comment 25 by bugdroid1@chromium.org, Jul 27 2016

Labels: -merge-approved-53 Merge-Merged-2785
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/ios_internal.git/+/eb41acd6a0cba20c951443305f7e546ba9402cbc

commit eb41acd6a0cba20c951443305f7e546ba9402cbc
Author: justincohen <justincohen@google.com>
Date: Wed Jul 20 23:19:44 2016

 Issue 629668  has been merged into this issue.
Labels: -Hotlist-Merge-Approved
Labels: Release-0-M53
 Issue 638465  has been merged into this issue.
Labels: -reward-topanel reward-ineligible
Marking as reward-ineligible as this was considered part of the related issues when they were before the panel.
Labels: -ReleaseBlock-Stable
Labels: CVE-2016-5167
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 27 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment