I think it should be decided at a protocol level how to handle these; otherwise, programs would transmit information they have changed in ways they thought were correct but based on their own rules, which may differ from one program to the other.
Eg when browsing a file list, should DC++ transmit original names or its modified ones? Only the former would be doable in the current state (each program to its own), but that would mean having to store the names twice. I'd prefer we first define white / black lists of characters and the transformations expected by peers (or rules on their output, so any wrong name would be erroneous per the protocol). Then DC++ and other programs will implement these. Regarding NMDC, let's first handle ADC and derive what is needed from there. I guess nicks will need specific thoughts (more than in ADC). -- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to DC++. https://bugs.launchpad.net/bugs/1425276 Title: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs Status in DC++: Confirmed Bug description: Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data. For other possible problematic chars cologic suggests that anything in http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm from U+2000 to U+206F inclusive is pretty suspect. Some look like they have legitimate use, though, (U+2030 to U+205E inclusive, for example). But, minimally, filtering out a few of the codepoints from that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE (U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING (U+202B), POP DIRECTIONAL FORMATTING (U+202C), etc. Also here's a handy list of possible other suspects: http://kb.mozillazine.org/Network.IDN.blacklist_chars To manage notifications about this bug go to: https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
