linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1425276] Re: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: eMTee <1425276@xxxxxxxxxxxxxxxxxx>
Date: Sun, 01 Mar 2015 17:16:25 -0000
Reply-to: Bug 1425276 <1425276@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It's also to be decided that in what parts of DC++ needs these chars to be filtered. Possible areas are user list, chat, hub window, queue, transferview for nicks and hub names but also there's search results, file list, finished download windows for shared files and the name (path) of downloaded files themseves.
The latter list is about trickery with file names and I think DC++ should handle these the way some web browsers and e-mail clients do (e.g. Mozilla products).
It seems to be best to get rid of these chars in the lib level, right after they received so they cannot cause any trouble in the ui level and in saved files.

--
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1425276

Title:
The Unicode mirror character and possibly other similar ones can be
used for nick spoofing in ADC hubs

Status in DC++:
Confirmed

Bug description:
Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too.
See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data.

For other possible problematic chars cologic suggests that anything in
http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm
from U+2000 to U+206F inclusive is pretty suspect. Some look like they
have legitimate use, though, (U+2030 to U+205E inclusive, for
example). But, minimally, filtering out a few of the codepoints from
that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE
(U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING
(U+202B), POP DIRECTIONAL FORMATTING (U+202C), etc.

Also here's a handy list of possible other suspects:
http://kb.mozillazine.org/Network.IDN.blacklist_chars

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions

References

[Bug 1425276] [NEW] The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs
From: eMTee, 2015-02-24