[Backport] CVE-2019-13659

Disallow combining Kana voiced sound marks (U+3099 and U+309A) in IDN

This CL disallows U+3099 and U+309A characters from domain names. Any IDN
containing these characters will be displayed as punycode.

As of July 2019, these characters are not used in any popular domains.

Bug: 868846
Change-Id: I7e36b30d7dcaf167fb3a6eb23b96f0aa4bd393ee
Reviewed-by: Christopher Thompson <cthomp@chromium.org>
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#681043}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

1 files changed, 2 insertions, 0 deletions

diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc
index 56627da7599..6029873b282 100644
--- a/chromium/components/url_formatter/idn_spoof_checker.cc
+++ b/chromium/components/url_formatter/idn_spoof_checker.cc
@@ -327,6 +327,7 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label,
     //   character. Other combining diacritical marks are not in the allowed
     //   character set.
     // - Disallow dotless i (U+0131) followed by a combining mark.
+    // - Disallow combining Kana voiced sound marks.
     // - Disallow U+0307 (dot above) after 'i', 'j', 'l' or dotless i (U+0131).
     //   Dotless j (U+0237) is not in the allowed set to begin with.
     dangerous_pattern = new icu::RegexMatcher(
@@ -341,6 +342,7 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label,
             R"([a-z]\u30fb|\u30fb[a-z]|)"
             R"([^\p{scx=latn}\p{scx=grek}\p{scx=cyrl}][\u0300-\u0339]|)"
             R"(\u0131[\u0300-\u0339]|)"
+            R"(\u3099|\u309A|)"
             R"([ijl]\u0307)",
             -1, US_INV),
         0, status);