linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1425276] Re: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: eMTee <1425276@xxxxxxxxxxxxxxxxxx>
Date: Sun, 01 Mar 2015 17:03:23 -0000
Reply-to: Bug 1425276 <1425276@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[2015-02-28 17:28] [17:28:46] <cologic> as specific examples of http://kb.mozillazine.org/Network.IDN.blacklist_chars characters I don't seen an obvious problem with, all of the "VULGAR FRACTION" ones seem fine. Ditto the various other FRACTION, DIVISION SLASH, RATIO, SOLIDUS, etc codepoints. These are slightly exotic and a web browser doesn't like them in URLs because slashes hold such special meaning in URLs, but DC doesn't ascribe that meaning to begin with, so they seem pretty safe.
[2015-02-28 17:33] [17:33:04] <cologic> Other characters they're wary about that DC has no real reason to be include colons ("If we've included 05C3 HEBREW PUNCTUATION SOF PASUQ because it looks like a colon" from https://bugzilla.mozilla.org/show_bug.cgi?id=479336#c1 for example) and percent signs. The real hazardous class is, that I can see, (a) sort of meta-control characters that control direction of text drawing characters (bidi control, for example). To the extent oe wants to keep whitespace out of some field, Unicode has a wide variety of space characters of varying lengths and line-breaking statuses. Not sure what the right way to handle that is.
[2015-02-28 17:34] [17:34:19] <Pretorian> All space and line breaks should be blocked, IMO.
[2015-02-28 17:35] [17:35:44] <cologic> Line breaks are kind of a problem, yeah. Allow freeform chat spoofing.
[2015-02-28 17:36] [17:36:05] <cologic> At least outside fields where they're already expected
[2015-02-28 17:36] [17:36:24] <cologic> (e.g., multiline chat is already well-handled, but putting them in nicks...)

** Bug watch added: Mozilla Bugzilla #479336
   https://bugzilla.mozilla.org/show_bug.cgi?id=479336

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1425276

Title:
  The Unicode mirror character and possibly other similar ones can be
  used for nick spoofing in ADC hubs

Status in DC++:
  Confirmed

Bug description:
  Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. 
  See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data.

  For other possible problematic chars cologic suggests that anything in
  http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm
  from U+2000 to U+206F inclusive is pretty suspect. Some look like they
  have legitimate use, though, (U+2030 to U+205E inclusive, for
  example). But, minimally, filtering out a few of the codepoints from
  that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE
  (U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING
  (U+202B),   POP DIRECTIONAL FORMATTING (U+202C), etc.

  Also here's a handy list of possible other suspects:
  http://kb.mozillazine.org/Network.IDN.blacklist_chars

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions

References

[Bug 1425276] [NEW] The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs
From: eMTee, 2015-02-24