diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-13 10:43:57 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-13 12:02:07 +0000 |
commit | 5c76f0592d0e949ea81abe4af0c1d2996175862f (patch) | |
tree | 8a4ec75e143c3c50ef7da063b8bab8b9bb5b5926 /chromium/components | |
parent | 7b5e48775b3ac89f49d4b0f74b7db03540cc212b (diff) | |
download | qtwebengine-chromium-5c76f0592d0e949ea81abe4af0c1d2996175862f.tar.gz |
[Backport] Fix for CVE-2019-5776
Include U+0517 in set of Cyrillic/Latin lookalikes.
Cyrillic letter U+0517 (ԗ) looks somewhat similar to the Latin letter p.
This CL adds this character to the set of Cyrillic characters that look
like Latin characters. Domains made up entirely of Cyrillic/Latin
lookalikes are displayed as punycode in URLs.
Bug: 863663
Change-Id: I4340c48d124c9c4cd3d3b5d0f9d3865d709e082d
Reviewed-on: https://chromium-review.googlesource.com/c/1286825
Commit-Queue: Joe DeBlasio <jdeblasio@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#600582}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/components')
-rw-r--r-- | chromium/components/url_formatter/idn_spoof_checker.cc | 2 | ||||
-rw-r--r-- | chromium/components/url_formatter/url_formatter_unittest.cc | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc index 7bce3b676b2..c0449e0ae99 100644 --- a/chromium/components/url_formatter/idn_spoof_checker.cc +++ b/chromium/components/url_formatter/idn_spoof_checker.cc @@ -171,7 +171,7 @@ IDNSpoofChecker::IDNSpoofChecker() { // These Cyrillic letters look like Latin. A domain label entirely made of // these letters is blocked as a simplified whole-script-spoofable. cyrillic_letters_latin_alike_ = icu::UnicodeSet( - icu::UnicodeString::fromUTF8("[асԁеһіјӏорԛѕԝхуъЬҽпгѵѡ]"), status); + icu::UnicodeString::fromUTF8("[асԁеһіјӏорԗԛѕԝхуъЬҽпгѵѡ]"), status); cyrillic_letters_latin_alike_.freeze(); cyrillic_letters_ = diff --git a/chromium/components/url_formatter/url_formatter_unittest.cc b/chromium/components/url_formatter/url_formatter_unittest.cc index 249c92f5d10..6e37bf810af 100644 --- a/chromium/components/url_formatter/url_formatter_unittest.cc +++ b/chromium/components/url_formatter/url_formatter_unittest.cc @@ -381,6 +381,9 @@ const IDNTestCase idn_cases[] = { // музей (museum in Russian) has characters without a Latin-look-alike. {"xn--e1adhj9a.com", L"\x043c\x0443\x0437\x0435\x0439.com", true}, + // ѕсоԗе.com is Cyrillic with Latin lookalikes. + {"xn--e1ari3f61c.com", L"\x0455\x0441\x043e\x0517\x0435.com", false}, + // Combining Diacritic marks after a script other than Latin-Greek-Cyrillic {"xn--rsa2568fvxya.com", L"\xd55c\x0301\xae00.com", false}, // 한́글.com {"xn--rsa0336bjom.com", L"\x6f22\x0307\x5b57.com", false}, // 漢̇字.com |