Bug 1473911 - Fix URL spoofing combining dot + ijk r=necko-reviewers,jesup

Differential Revision: https://phabricator.services.mozilla.com/D161783
This commit is contained in:
Valentin Gosu 2022-11-25 14:25:47 +00:00
parent 9ba0462e79
commit ad6ceb30fb
2 changed files with 9 additions and 4 deletions

View File

@ -701,6 +701,11 @@ bool nsIDNService::isLabelSafe(const nsAString& label) {
return false;
}
if (ch == 0x307 &&
(previousChar == 'i' || previousChar == 'j' || previousChar == 'l')) {
return false;
}
// Check for mixed numbering systems
auto genCat = GetGeneralCategory(ch);
if (genCat == HB_UNICODE_GENERAL_CATEGORY_DECIMAL_NUMBER) {

View File

@ -201,13 +201,13 @@ let testCases = [
// The following three are detected by |dangerous_pattern| regex, but
// can be regarded as an extension of blocking repeated diacritic marks.
// i followed by U+0307 (combining dot above)
["xn--pixel-8fd.com", "pi\u0307xel.com", kUnsafe, "DISABLED"],
["xn--pixel-8fd.com", "pi\u0307xel.com", kUnsafe],
// U+0131 (dotless i) followed by U+0307
["xn--pxel-lza43z.com", "p\u0131\u0307xel.com", kUnsafe],
// j followed by U+0307 (combining dot above)
["xn--jack-qwc.com", "j\u0307ack.com", kUnsafe, "DISABLED"],
["xn--jack-qwc.com", "j\u0307ack.com", kUnsafe],
// l followed by U+0307
["xn--lace-qwc.com", "l\u0307ace.com", kUnsafe, "DISABLED"],
["xn--lace-qwc.com", "l\u0307ace.com", kUnsafe],
// Do not allow a combining mark after dotless i/j.
["xn--pxel-lza29y.com", "p\u0131\u0300xel.com", kUnsafe],
@ -344,7 +344,7 @@ let testCases = [
// mail.đigklmo68.co.uk:
["mail.xn--igklmo68-kcb.co.uk", "mail.\u0111igklmo68.co.uk", kUnsafe, "DISABLED"],
// di̇gklmo68.com:
["xn--digklmo68-6jf.com", "di\u0307gklmo68.com", kUnsafe, "DISABLED"],
["xn--digklmo68-6jf.com", "di\u0307gklmo68.com", kUnsafe],
// dig̱klmo68.com:
["xn--digklmo68-7vf.com", "dig\u0331klmo68.com", kUnsafe, "DISABLED"],
// digĸlmo68.com: