diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 11:38:00 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-02 09:41:21 +0000 |
| commit | 0d62ec3da6b22576c666a839dddb7105f0047a68 (patch) | |
| tree | 98e8aa4f2c9d4f7fe3d649c1375e6d1f64321197 | |
| parent | 232288de9e12c0c4fb8b5686a7fe81280ee4852f (diff) | |
| download | qtwebengine-chromium-0d62ec3da6b22576c666a839dddb7105f0047a68.tar.gz | |
[Backport] Block dotless-i / j + a combining mark
U+0131 (doltess i) and U+0237 (dotless j) are blocked from being
followed by a combining mark in U+0300 block.
Bug: 774842
Test: See the bug
Reviewed-on: https://chromium-review.googlesource.com/767888
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517605}
(CVE-2018-6050)
Change-Id: Ib2dce153bc81de78a9f6b5d867d3729a4c2d3985
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/components/url_formatter/idn_spoof_checker.cc | 4 | ||||
| -rw-r--r-- | chromium/components/url_formatter/url_formatter_unittest.cc | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc index fd4eb5a92b4..f4c28d87d6e 100644 --- a/chromium/components/url_formatter/idn_spoof_checker.cc +++ b/chromium/components/url_formatter/idn_spoof_checker.cc @@ -238,6 +238,7 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label, // - Disallow combining diacritical mark (U+0300-U+0339) after a non-LGC // character. Other combining diacritical marks are not in the allowed // character set. + // - Disallow dotless i (U+0131) followed by a combining mark. // - Disallow U+0307 (dot above) after 'i', 'j', 'l' or dotless i (U+0131). // Dotless j (U+0237) is not in the allowed set to begin with. dangerous_pattern = new icu::RegexMatcher( @@ -251,7 +252,8 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label, R"(^[\p{scx=hira}]+[\u30d8-\u30da][\p{scx=hira}]+$|)" R"([a-z]\u30fb|\u30fb[a-z]|)" R"([^\p{scx=latn}\p{scx=grek}\p{scx=cyrl}][\u0300-\u0339]|)" - R"([ijl\u0131]\u0307)", + R"(\u0131[\u0300-\u0339]|)" + R"([ijl]\u0307)", -1, US_INV), 0, status); tls_index.Set(dangerous_pattern); diff --git a/chromium/components/url_formatter/url_formatter_unittest.cc b/chromium/components/url_formatter/url_formatter_unittest.cc index 7b484e02efb..e865c7204e3 100644 --- a/chromium/components/url_formatter/url_formatter_unittest.cc +++ b/chromium/components/url_formatter/url_formatter_unittest.cc @@ -268,6 +268,10 @@ const IDNTestCase idn_cases[] = { // l followed by U+0307 {"xn--lace-qwc.com", L"l\x0307" L"ace.com", false}, + // Do not allow a combining mark after dotless i/j. + {"xn--pxel-lza29y.com", L"p\x0131\x0300xel.com", false}, + {"xn--ack-gpb42h.com", L"\x0237\x0301" L"ack.com", false}, + // Mixed script confusable // google with Armenian Small Letter Oh(U+0585) {"xn--gogle-lkg.com", L"g\x0585ogle.com", false}, |