Issue metadata
Sign in to add a comment
|
Security: RTL characters are not handled properly in extension permission patterns |
||||||||||||||||||||||
Issue description
If an extension embeds an RTL start character in its host permission patterns, the host names are displayed reverse. Ideally, each host name should be rendered properly regardless of any other strings in the list.
The relevant parts of the manifest for the attached screenshot is as follows:
{
"name": "\u202emoc.elgoog",
...
"permissions": [
"http://0\u202e/*", "http://google.com/*", "http://facebook.com/*"
],
...
}
,
Apr 19 2017
,
Apr 19 2017
,
Apr 21 2017
,
Nov 10 2017
,
Dec 9 2017
,
Feb 8 2018
,
Feb 14 2018
Hi catmullings@ - do you know if this is covered by your recent RTL work in issue 685747 ?
,
Feb 14 2018
Catherine is no longer on Chromium any more, so she probably won't be reading chromium.org mail. I reviewed the CL. It certainly fixed this *type* of issue, but I'm not sure if it applies to the text fields in question. If it does not, it's easy to fix now because she added a new function base::i18n::EnsureTerminatedDirectionalFormatting. Ideally this should be called on all user-supplied strings before being embedded inside any other string that gets displayed in UI. Assigning back to meacer@ to look into whether it's fixed.
,
Feb 14 2018
It's fixed, at least in the permission dialog. The "Details" dialog seems no more so I can't verify it.
,
Feb 15 2018
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 27 2017