New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 789305 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 770709
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Urls are not punycoded in some cases after the April fix

Reported by mpaa...@gmail.com, Nov 28 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: Version 62.0.3202.94 (Official Build) (64-bit)

Operating System: Windows 10, latest

REPRODUCTION CASE

Go to https://www.xn--f-scure-ts4c.com/ it shows in the address bar as https:// www.f-sẹcure.com
 

Comment 1 by raymes@chromium.org, Nov 28 2017

Cc: mgiuca@chromium.org
Components: UI>Security>UrlFormatting
Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by raymes@chromium.org, Nov 28 2017

This is another potential URL spoofing related issue

Comment 3 by js...@chromium.org, Dec 1 2017

Mergedinto: 770709
Status: Duplicate (was: Assigned)
www.f-sẹcure.com: 
 
'ẹ' is not supposed to be puny-coded unconditionally (yet).  It'd be if  'f-secure.com' were in the top domain list. 

'yet' comes from  bug 770709 . 
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 25

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment