Issue metadata
Sign in to add a comment
|
Security: Urls are not punycoded in some cases after the April fix
Reported by
mpaa...@gmail.com,
Nov 28 2017
|
||||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. VERSION Chrome Version: Version 62.0.3202.94 (Official Build) (64-bit) Operating System: Windows 10, latest REPRODUCTION CASE Go to https://www.xn--f-scure-ts4c.com/ it shows in the address bar as https:// www.f-sẹcure.com
,
Nov 28 2017
This is another potential URL spoofing related issue
,
Dec 1 2017
www.f-sẹcure.com: 'ẹ' is not supposed to be puny-coded unconditionally (yet). It'd be if 'f-secure.com' were in the top domain list. 'yet' comes from bug 770709 .
,
Aug 25
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Nov 28 2017Components: UI>Security>UrlFormatting
Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)