New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 847242 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with Myanmar character "ဒ" (U+1012)

Reported by chromium...@gmail.com, May 28 2018

Issue description

VERSION
Chrome Version: 69.0.3442.0 (Official Build) canary (64-bit)
Operating System: Mac 

- see  issue 811117 .

REPRODUCTION CASE
http://xn--16-z0j.com/ this should be shown in punycode instead of 16ဒ.com (163.com in the top 10k list).

 
Screen Shot 2018-05-28 at 17.12.04 1.png
38.7 KB View Download
Cc: mgiuca@chromium.org
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Impact-Stable
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by mea...@chromium.org, May 30 2018

Cc: sffc@chromium.org
I believe the fix is similar to https://chromium-review.googlesource.com/c/chromium/src/+/1055894

Since jshin is transitioning, would any of the CCs be interested in this one? Otherwise I can give it a shot.

Comment 3 by mea...@chromium.org, May 30 2018

Labels: Security_Severity-Medium
Project Member

Comment 4 by sheriffbot@chromium.org, May 31 2018

Labels: M-67
Project Member

Comment 5 by sheriffbot@chromium.org, May 31 2018

Labels: Pri-1
Cc: js...@chromium.org
Owner: mea...@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d616695bd68610e75b90d734d72d42534bf01b82

commit d616695bd68610e75b90d734d72d42534bf01b82
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Fri Jun 08 19:19:41 2018

Add confusability mapping entries for Myanmar and Georgian

U+10D5 (ვ), U+1012 (ဒ) => 3

Bug:  847242 ,  849398 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I9abb8560cf1c9e8e5e8d89980780b89461f7be52
Reviewed-on: https://chromium-review.googlesource.com/1091430
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#565709}
[modify] https://crrev.com/d616695bd68610e75b90d734d72d42534bf01b82/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/d616695bd68610e75b90d734d72d42534bf01b82/components/url_formatter/url_formatter_unittest.cc

Verified the fix in 69.0.3454.0 (Developer Build) (64-bit), http://xn--16-z0j.com/ is shown in punycode instead of http://16ဒ.com. 

Status: Fixed (was: Started)
It's now picked up by Canary, closing.
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 13

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 19

Labels: Merge-Request-68
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 19

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
which OS's is this impacting?
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Must be all but not sure about iOS
Labels: -Merge-Review-68 Merge-Approved-68
Approved branch:3440
Project Member

Comment 17 by bugdroid1@chromium.org, Jun 20

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c0d219306d70faf545afd6baf3e6f389c76f55

commit 93c0d219306d70faf545afd6baf3e6f389c76f55
Author: Mustafa Emre Acer <meacer@chromium.org>
Date: Wed Jun 20 17:45:43 2018

Add confusability mapping entries for Myanmar and Georgian

U+10D5 (ვ), U+1012 (ဒ) => 3

TBR=meacer@chromium.org

(cherry picked from commit d616695bd68610e75b90d734d72d42534bf01b82)

Bug:  847242 ,  849398 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: I9abb8560cf1c9e8e5e8d89980780b89461f7be52
Reviewed-on: https://chromium-review.googlesource.com/1091430
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#565709}
Reviewed-on: https://chromium-review.googlesource.com/1108380
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#464}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/93c0d219306d70faf545afd6baf3e6f389c76f55/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/93c0d219306d70faf545afd6baf3e6f389c76f55/components/url_formatter/url_formatter_unittest.cc

Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to award for this report.
Labels: Release-0-M68
Labels: CVE-2018-6172 CVE_description-missing
Project Member

Comment 21 by sheriffbot@chromium.org, Sep 19

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: idn-spoof

Sign in to add a comment