[Backport] CVE-2019-13663 [2/2]

Block CJK ideographs looking like slashes in domain names

This CL blocks the following characters from appearing in unicode domain names
when they're surrounded by non-Japanese scripts:
  "丶" (CJK unified ideograph, U+4E36)
  "乀" (CJK unified ideograph, U+4E40)
  "乁" (CJK unified ideograph, U+4E41)
  "丿" (CJK unified ideograph, U+4E3F)

None of these characters are currently used in domain names so the real world
impact is nil.

Bug: 863661
Change-Id: Ifc3a40d46d957bc99383445a71577a0cba744aec
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Tommy Li <tommycli@chromium.org>
Cr-Commit-Position: refs/heads/master@{#679205}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

2 files changed, 21 insertions, 5 deletions

diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc
index 47e42faed22..eba177be41b 100644
--- a/chromium/components/url_formatter/idn_spoof_checker.cc
+++ b/chromium/components/url_formatter/idn_spoof_checker.cc
@@ -310,10 +310,16 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label,
     // regex is OR'ed with the | operator.
     dangerous_pattern = new icu::RegexMatcher(
         icu::UnicodeString(
-            // Disallow the katakana no (U+30ce), so (U+30bd), zo (U+30be), or
-            // n (U+30f3), as they may be mistaken for slashes when they're
-            // surrounded by non-Japanese scripts (i.e. scripts other than
-            // Katakana, Hiragana or Han). If {no, so, zo, n} next to a
+            // Disallow the following as they may be mistaken for slashes when
+            // they're surrounded by non-Japanese scripts (i.e. scripts other
+            // than Katakana, Hiragana or Han):
+            // "ノ" (Katakana no, U+30ce), "ソ" (Katakana so, U+30bd),
+            // "ゾ" (Katakana zo, U+30be), "ン" (Katakana n, U+30f3),
+            // "丶" (CJK unified ideograph, U+4E36),
+            // "乀" (CJK unified ideograph, U+4E40),
+            // "乁" (CJK unified ideograph, U+4E41),
+            // "丿" (CJK unified ideograph, U+4E3F).
+            // If {no, so, zo, n} next to a
             // non-Japanese script on either side is disallowed, legitimate
             // cases like '{vitamin in Katakana}b6' are blocked. Note that
             // trying to block those characters when used alone as a label is
@@ -323,7 +329,7 @@ bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label,
             // string. See http://bugs.icu-project.org/trac/ticket/12823 .
             // TODO(jshin): adjust the pattern once the above ICU bug is fixed.
             R"([^\p{scx=kana}\p{scx=hira}\p{scx=hani}])"
-            R"([\u30ce\u30f3\u30bd\u30be])"
+            R"([\u30ce\u30f3\u30bd\u30be\u4e36\u4e40\u4e41\u4e3f])"
             R"([^\p{scx=kana}\p{scx=hira}\p{scx=hani}]|)"
 
             // Disallow U+30FD (Katakana iteration mark) and U+30FE (Katakana
diff --git a/chromium/components/url_formatter/url_formatter_unittest.cc b/chromium/components/url_formatter/url_formatter_unittest.cc
index b55a37d27d4..1a309905b4e 100644
--- a/chromium/components/url_formatter/url_formatter_unittest.cc
+++ b/chromium/components/url_formatter/url_formatter_unittest.cc
@@ -1042,6 +1042,16 @@ const IDNTestCase idn_cases[] = {
     // U+4E00 with another ideograph.
     {"xn--4gqc.com", L"一丁.com", true},
 
+    // CJK ideographs looking like slashes should be blocked when next to
+    // non-CJK.
+    {"example.xn--comtest-k63k", L"example.com丶test", false},
+    {"example.xn--comtest-u83k", L"example.com乀test", false},
+    {"example.xn--comtest-283k", L"example.com乁test", false},
+    {"example.xn--comtest-m83k", L"example.com丿test", false},
+    // This is allowed because the ideographs are not immediately next to
+    // non-CJK.
+    {"xn--oiqsace.com", L"丶乀乁丿.com", true},
+
     // Kana voiced sound marks are not allowed.
     {"xn--google-1m4e.com", L"google\x3099.com", false},
     {"xn--google-8m4e.com", L"google\x309A.com", false},