From 8b78be4530aefc030393978589f6cca1221d58ff Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Wed, 13 Feb 2019 10:44:48 +0100 Subject: [Backport] Fix for CVE-2019-5775 and CVE-2019-5777 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mapping several Indic characters to confusables. A number of characters from several Indian scripts are confusable, especially with numbers. This change maps these characters to their ASCII lookalike to allow fallback to punycode when displaying probable spoofing URLs. Bug: 849421 Bug: 892646 Bug: 896722 Change-Id: I6d463642f3541454dc39bf4b32b8291417697c52 Reviewed-on: https://chromium-review.googlesource.com/c/1295179 Reviewed-by: Tommy Li Commit-Queue: Joe DeBlasio Cr-Commit-Position: refs/heads/master@{#602032} Reviewed-by: Michael Brüning --- .../components/url_formatter/idn_spoof_checker.cc | 21 +++++++++++++-- .../url_formatter/top_domains/test_domains.list | 7 +++++ .../top_domains/test_domains.skeletons | 7 +++++ .../url_formatter/url_formatter_unittest.cc | 31 ++++++++++++++++++++++ 4 files changed, 64 insertions(+), 2 deletions(-) diff --git a/chromium/components/url_formatter/idn_spoof_checker.cc b/chromium/components/url_formatter/idn_spoof_checker.cc index c0449e0ae99..2931767e4b1 100644 --- a/chromium/components/url_formatter/idn_spoof_checker.cc +++ b/chromium/components/url_formatter/idn_spoof_checker.cc @@ -231,9 +231,18 @@ IDNSpoofChecker::IDNSpoofChecker() { // - {U+050D (ԍ), U+100c (ဌ)} => g // - {U+0D1F (ട), U+0E23 (ร), U+0EA3 (ຣ), U+0EAE (ຮ)} => s // - U+1042 (၂) => j + // - {U+0966 (०), U+09E6 (০), U+0A66 (੦), U+0AE6 (૦), U+0B30 (ଠ), + // U+0B66 (୦), U+0CE6 (೦)} => o, + // - {U+09ED (৭), U+0A67 (੧), U+0AE7 (૧)} => q, + // - {U+0E1A (บ), U+0E9A (ບ)} => u + // - {U+0968 (२), U+09E8 (২), U+0A68 (੨), U+0A68 (੨), U+0AE8 (૨), + // U+0ce9 (೩), U+0ced (೭)} => 2, // - {U+0437 (з), U+0499 (ҙ), U+04E1 (ӡ), U+0909 (उ), U+0993 (ও), + // U+0A69 (੩), U+0AE9 (૩), U+0C69 (౩), // U+1012 (ဒ), U+10D5 (ვ), U+10DE (პ)} => 3 - // - {U+0E1A (บ), U+0E9A (ບ)} => u + // - {U+0A6B (੫)} => 4, + // - {U+09EA (৪), U+0A6A (੪), U+0b6b (୫)} => 8, + // - {U+0AED (૭), U+0b68 (୨), U+0C68 (౨)} => 9, extra_confusable_mapper_.reset(icu::Transliterator::createFromRules( UNICODE_STRING_SIMPLE("ExtraConf"), icu::UnicodeString::fromUTF8( @@ -243,7 +252,15 @@ IDNSpoofChecker::IDNSpoofChecker() { "[мӎ] > m; [єҽҿၔ] > e; ґ > r; [ғӻ] > f;" "[ҫင] > c; ұ > y; [χҳӽӿ] > x;" "ԃ > d; [ԍဌ] > g; [ടรຣຮ] > s; ၂ > j;" - "[зҙӡउওဒვპ] > 3; [บບ] > u"), + "[०০੦૦ଠ୦೦] > o;" + "[৭੧૧] > q;" + "[บບ] > u;" + "[२২੨੨૨೩೭] > 2;" + "[зҙӡउও੩૩౩ဒვპ] > 3;" + "[੫] > 4;" + "[৪੪୫] > 8;" + "[૭୨౨] > 9;" + ), UTRANS_FORWARD, parse_error, status)); DCHECK(U_SUCCESS(status)) << "Spoofchecker initalization failed due to an error: " diff --git a/chromium/components/url_formatter/top_domains/test_domains.list b/chromium/components/url_formatter/top_domains/test_domains.list index 466caf995c3..466dadebff5 100644 --- a/chromium/components/url_formatter/top_domains/test_domains.list +++ b/chromium/components/url_formatter/top_domains/test_domains.list @@ -23,3 +23,10 @@ wsou.com aece.com aen.com n11.com +o2.com +28.com +39.com +89.com +43.com +oo.com +qq.com diff --git a/chromium/components/url_formatter/top_domains/test_domains.skeletons b/chromium/components/url_formatter/top_domains/test_domains.skeletons index 218bdc65a74..ecf5b68a795 100644 --- a/chromium/components/url_formatter/top_domains/test_domains.skeletons +++ b/chromium/components/url_formatter/top_domains/test_domains.skeletons @@ -34,3 +34,10 @@ l23456789O.corn, 1234567890.com aece.corn, aece.com aen.corn, aen.com nll.corn, n11.com +o2.corn, o2.com +28.corn, 28.com +39.corn, 39.com +89.corn, 89.com +43.corn, 43.com +oo.corn, oo.com +qq.corn, qq.com diff --git a/chromium/components/url_formatter/url_formatter_unittest.cc b/chromium/components/url_formatter/url_formatter_unittest.cc index 6e37bf810af..012d0f02cb1 100644 --- a/chromium/components/url_formatter/url_formatter_unittest.cc +++ b/chromium/components/url_formatter/url_formatter_unittest.cc @@ -420,6 +420,35 @@ const IDNTestCase idn_cases[] = { L"123.com", false}, + // 'o2.com', '28.com', '39.com', '43.com', '89.com', 'oo.com' and 'qq.com' + // are all explicitly added to the test domain list to aid testing of + // Latin-lookalikes that are numerics in other character sets and similar + // edge cases. + // + // Bengali: + {"xn--07be.com", L"\x09e6\x09e8.com", false}, + {"xn--27be.com", L"\x09e8\x09ea.com", false}, + {"xn--77ba.com", L"\x09ed\x09ed.com", false}, + // Gurmukhi: + {"xn--qcce.com", L"\x0a68\x0a6a.com", false}, + {"xn--occe.com", L"\x0a66\x0a68.com", false}, + {"xn--rccd.com", L"\x0a6b\x0a69.com", false}, + {"xn--pcca.com", L"\x0a67\x0a67.com", false}, + // Telugu: + {"xn--drcb.com", L"\x0c69\x0c68.com", false}, + // Devanagari: + {"xn--d4be.com", L"\x0966\x0968.com", false}, + // Kannada: + {"xn--yucg.com", L"\x0ce6\x0ce9.com", false}, + {"xn--yuco.com", L"\x0ce6\x0ced.com", false}, + // Oriya: + {"xn--1jcf.com", L"\x0b6b\x0b68.com", false}, + {"xn--zjca.com", L"\x0b66\x0b66.com", false}, + // Gujarati: + {"xn--cgce.com", L"\x0ae6\x0ae8.com", false}, + {"xn--fgci.com", L"\x0ae9\x0aed.com", false}, + {"xn--dgca.com", L"\x0ae7\x0ae7.com", false}, + // wmhtb.com {"xn--l1acpvx.com", L"\x0448\x043c\x043d\x0442\x044c.com", false}, // щмнть.com @@ -599,6 +628,8 @@ const IDNTestCase idn_cases[] = { L"12345678\x0b68" L"0.com", false}, + // 123456789ଠ.com + {"xn--http://123456789-v01b.com", L"http://123456789\x0b20.com", false}, // 123456789ꓳ.com {"xn--123456789-tx75a.com", L"123456789\xa4f3.com", false}, -- cgit v1.2.1