Added characters that look like padlocks to URL unescaping blacklist.

net/base/escape.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/escape.h"
 
 #include <algorithm>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
@@ skipping 146 matching lines @@
   if (!UnescapeUnsignedCharAtIndex(escaped_text, index + 6, &third_byte))
     return false;
   if (second_byte == 0x80) {
     return third_byte == 0x8E ||
            third_byte == 0x8F ||
            (third_byte >= 0xAA && third_byte <= 0xAE);
   }
   return third_byte >= 0xA6 && third_byte <= 0xA9;
 }
 
+// Returns true if there is a four-byte banned char at |index|. |first_byte| is
+// the byte at |index|.
+template <typename STR>
+bool HasFourByteBannedCharAtIndex(const STR& escaped_text,
+                                  unsigned char first_byte,
+                                  size_t index) {
+  // The following characters are blacklisted for spoofability concerns.
+  // U+1F50F LOCK WITH INK PEN         (%F0%9F%94%8F)
+  // U+1F510 CLOSED LOCK WITH KEY      (%F0%9F%94%90)
+  // U+1F512 LOCK                      (%F0%9F%94%92)
+  // U+1F513 OPEN LOCK                 (%F0%9F%94%93)
+  if (first_byte != 0xF0)
+    return false;
+
+  unsigned char second_byte;
+  if (!UnescapeUnsignedCharAtIndex(escaped_text, index + 3, &second_byte) ||
+      second_byte != 0x9F) {
+    return false;
+  }
+
+  unsigned char third_byte;
+  if (!UnescapeUnsignedCharAtIndex(escaped_text, index + 6, &third_byte) ||
+      third_byte != 0x94) {
+    return false;
+  }
+
+  unsigned char fourth_byte;
+  if (!UnescapeUnsignedCharAtIndex(escaped_text, index + 9, &fourth_byte) ||
+      (fourth_byte != 0x8F && fourth_byte != 0x90 && fourth_byte != 0x92 &&
+       fourth_byte != 0x93)) {

[Peter Kasting, 2015/06/22 07:35:22]

Nit: Simpler:

  return UnescapeUnsignedCharAtIndex(escaped_text, index + 9, &fourth_byte) &&
      (fourth_byte == 0x8F || fourth_byte == 0x90 || fourth_byte == 0x92 ||
       fourth_byte == 0x93);

[Matt Giuca, 2015/06/23 04:14:10]

Done.

+    return false;
+  }
+
+  return true;
+}
+
 // Unescapes |escaped_text| according to |rules|, returning the resulting
 // string.  Fills in an |adjustments| parameter, if non-NULL, so it reflects
 // the alterations done to the string that are not one-character-to-one-
 // character.  The resulting |adjustments| will always be sorted by increasing
 // offset.
 template<typename STR>
 STR UnescapeURLWithAdjustmentsImpl(
     const STR& escaped_text,
     UnescapeRule::Type rules,
     base::OffsetAdjuster::Adjustments* adjustments) {
@@ skipping 33 matching lines @@
       // Additionally, the Unicode Technical Report (TR9) as referenced by RFC
       // 3987 above has since added some new BiDi control characters.
       // http://www.unicode.org/reports/tr9
       //
       // U+061C ARABIC LETTER MARK         (%D8%9C)
       // U+2066 LEFT-TO-RIGHT ISOLATE      (%E2%81%A6)
       // U+2067 RIGHT-TO-LEFT ISOLATE      (%E2%81%A7)
       // U+2068 FIRST STRONG ISOLATE       (%E2%81%A8)
       // U+2069 POP DIRECTIONAL ISOLATE    (%E2%81%A9)
       //
+      // The following spoofable characters are also banned, because they could
+      // be used to imitate parts of the browser UI.

[mmenke, 2015/06/22 17:05:07]

It's a layering violation for net/ to know about anything in content/ (Which
includes things like the UI thread and IO thread...as well as the fact its
primary use case is being used in a browser).

Also worth noting the network stack is used in apps other than browsers.

[Matt Giuca, 2015/06/23 04:14:10]

OK well the entire reason for these chars being banned is that they clash with
web browser UI, so it doesn't make sense for this comment *not* to mention web
browsers. (ie. if you use this module in a non-web-browser app, then the locks
probably don't need to be banned.)

But I take your point, so I changed "parts of the browser UI" to "parts of a web
browser's UI."

+      //
+      // U+1F50F LOCK WITH INK PEN         (%F0%9F%94%8F)
+      // U+1F510 CLOSED LOCK WITH KEY      (%F0%9F%94%90)
+      // U+1F512 LOCK                      (%F0%9F%94%92)
+      // U+1F513 OPEN LOCK                 (%F0%9F%94%93)
+      //
       // However, some schemes such as data: and file: need to parse the exact
       // binary data when loading the URL. For that reason, CONTROL_CHARS allows
       // unescaping BiDi control characters.
       // DO NOT use CONTROL_CHARS if the parsed URL is going to be displayed
       // in the UI.
       if (!(rules & UnescapeRule::CONTROL_CHARS)) {
         if (HasArabicLanguageMarkAtIndex(escaped_text, first_byte, i)) {
           // Keep Arabic Language Mark escaped.
           result.append(escaped_text, i, 6);
           i += 5;
           continue;
         }
         if (HasThreeByteBidiControlCharAtIndex(escaped_text, first_byte, i)) {
           // Keep BiDi control char escaped.
           result.append(escaped_text, i, 9);
           i += 8;
           continue;
         }
+        if (HasFourByteBannedCharAtIndex(escaped_text, first_byte, i)) {
+          // Keep banned char escaped.
+          result.append(escaped_text, i, 12);
+          i += 11;
+          continue;
+        }
       }
 
       if (first_byte >= 0x80 ||  // Unescape all high-bit characters.
           // For 7-bit characters, the lookup table tells us all valid chars.
           (kUrlUnescape[first_byte] ||
            // ...and we allow some additional unescaping when flags are set.
            (first_byte == ' ' && (rules & UnescapeRule::SPACES)) ||
            // Allow any of the prohibited but non-control characters when
            // we're doing "special" chars.
            (first_byte > ' ' && (rules & UnescapeRule::URL_SPECIAL_CHARS)) ||
@@ skipping 206 matching lines @@
                        1, kEscapeToChars[i].replacement);
           break;
         }
       }
     }
   }
   return text;
 }
 
 }  // namespace net