summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2019-02-13 10:43:57 +0100
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2019-02-13 12:02:07 +0000
commit5c76f0592d0e949ea81abe4af0c1d2996175862f (patch)
tree8a4ec75e143c3c50ef7da063b8bab8b9bb5b5926
parent7b5e48775b3ac89f49d4b0f74b7db03540cc212b (diff)
downloadqtwebengine-chromium-5c76f0592d0e949ea81abe4af0c1d2996175862f.tar.gz
[Backport] Fix for CVE-2019-5776
Include U+0517 in set of Cyrillic/Latin lookalikes. Cyrillic letter U+0517 (ԗ) looks somewhat similar to the Latin letter p. This CL adds this character to the set of Cyrillic characters that look like Latin characters. Domains made up entirely of Cyrillic/Latin lookalikes are displayed as punycode in URLs. Bug: 863663 Change-Id: I4340c48d124c9c4cd3d3b5d0f9d3865d709e082d Reviewed-on: https://chromium-review.googlesource.com/c/1286825 Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org> Commit-Queue: Peter Kasting <pkasting@chromium.org> Reviewed-by: Peter Kasting <pkasting@chromium.org> Cr-Commit-Position: refs/heads/master@{#600582} Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Diffstat
-rw-r--r--chromium/components/url_formatter/idn_spoof_checker.cc2
-rw-r--r--chromium/components/url_formatter/url_formatter_unittest.cc3
2 files changed, 4 insertions, 1 deletions
diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc
index 7bce3b676b2..c0449e0ae99 100644
--- a/chromium/components/url_formatter/idn_spoof_checker.cc
+++ b/chromium/components/url_formatter/idn_spoof_checker.cc
@@ -171,7 +171,7 @@ IDNSpoofChecker::IDNSpoofChecker() {
// These Cyrillic letters look like Latin. A domain label entirely made of
// these letters is blocked as a simplified whole-script-spoofable.
cyrillic_letters_latin_alike_ = icu::UnicodeSet(
- icu::UnicodeString::fromUTF8("[асԁеһіјӏорԛѕԝхуъЬҽпгѵѡ]"), status);
+ icu::UnicodeString::fromUTF8("[асԁеһіјӏорԗԛѕԝхуъЬҽпгѵѡ]"), status);
cyrillic_letters_latin_alike_.freeze();
cyrillic_letters_ =
diff --git a/chromium/components/url_formatter/url_formatter_unittest.cc b/chromium/components/url_formatter/url_formatter_unittest.cc
index 249c92f5d10..6e37bf810af 100644
--- a/chromium/components/url_formatter/url_formatter_unittest.cc
+++ b/chromium/components/url_formatter/url_formatter_unittest.cc
@@ -381,6 +381,9 @@ const IDNTestCase idn_cases[] = {
// музей (museum in Russian) has characters without a Latin-look-alike.
{"xn--e1adhj9a.com", L"\x043c\x0443\x0437\x0435\x0439.com", true},
+ // ѕсоԗе.com is Cyrillic with Latin lookalikes.
+ {"xn--e1ari3f61c.com", L"\x0455\x0441\x043e\x0517\x0435.com", false},
+
// Combining Diacritic marks after a script other than Latin-Greek-Cyrillic
{"xn--rsa2568fvxya.com", L"\xd55c\x0301\xae00.com", false}, // 한́글.com
{"xn--rsa0336bjom.com", L"\x6f22\x0307\x5b57.com", false}, // 漢̇字.com
View Lorry Controller Status