** Attachment added: "spoofing_dcpp_sends_msg_to_airdc.jpg" https://bugs.launchpad.net/dcplusplus/+bug/1425276/+attachment/5542073/+files/spoofing_dcpp_sends_msg_to_airdc.jpg
-- You received this bug notification because you are a member of Dcplusplus-team, which is subscribed to DC++. https://bugs.launchpad.net/bugs/1425276 Title: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs Status in AirDC++: Confirmed Status in DC++: Confirmed Bug description: Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data. For other possible problematic chars cologic suggests that anything in http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm from U+2000 to U+206F inclusive is pretty suspect. Some look like they have legitimate use, though, (U+2030 to U+205E inclusive, for example). But, minimally, filtering out a few of the codepoints from that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE (U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING (U+202B), POP DIRECTIONAL FORMATTING (U+202C), etc. Also here's a handy list of possible other suspects: http://kb.mozillazine.org/Network.IDN.blacklist_chars To manage notifications about this bug go to: https://bugs.launchpad.net/airdcpp/+bug/1425276/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~linuxdcpp-team Post to : linuxdcpp-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~linuxdcpp-team More help : https://help.launchpad.net/ListHelp
