[2015-02-28 17:28] [17:28:46] <cologic> as specific examples of http://kb.mozillazine.org/Network.IDN.blacklist_chars characters I don't seen an obvious problem with, all of the "VULGAR FRACTION" ones seem fine. Ditto the various other FRACTION, DIVISION SLASH, RATIO, SOLIDUS, etc codepoints. These are slightly exotic and a web browser doesn't like them in URLs because slashes hold such special meaning in URLs, but DC doesn't ascribe that meaning to begin with, so they seem pretty safe. [2015-02-28 17:33] [17:33:04] <cologic> Other characters they're wary about that DC has no real reason to be include colons ("If we've included 05C3 HEBREW PUNCTUATION SOF PASUQ because it looks like a colon" from https://bugzilla.mozilla.org/show_bug.cgi?id=479336#c1 for example) and percent signs. The real hazardous class is, that I can see, (a) sort of meta-control characters that control direction of text drawing characters (bidi control, for example). To the extent oe wants to keep whitespace out of some field, Unicode has a wide variety of space characters of varying lengths and line-breaking statuses. Not sure what the right way to handle that is. [2015-02-28 17:34] [17:34:19] <Pretorian> All space and line breaks should be blocked, IMO. [2015-02-28 17:35] [17:35:44] <cologic> Line breaks are kind of a problem, yeah. Allow freeform chat spoofing. [2015-02-28 17:36] [17:36:05] <cologic> At least outside fields where they're already expected [2015-02-28 17:36] [17:36:24] <cologic> (e.g., multiline chat is already well-handled, but putting them in nicks...)
** Bug watch added: Mozilla Bugzilla #479336 https://bugzilla.mozilla.org/show_bug.cgi?id=479336 -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to DC++. https://bugs.launchpad.net/bugs/1425276 Title: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs Status in DC++: Confirmed Bug description: Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data. For other possible problematic chars cologic suggests that anything in http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm from U+2000 to U+206F inclusive is pretty suspect. Some look like they have legitimate use, though, (U+2030 to U+205E inclusive, for example). But, minimally, filtering out a few of the codepoints from that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE (U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING (U+202B), POP DIRECTIONAL FORMATTING (U+202C), etc. Also here's a handy list of possible other suspects: http://kb.mozillazine.org/Network.IDN.blacklist_chars To manage notifications about this bug go to: https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
