OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "components/url_formatter/idn_spoof_checker.h" |
| 6 |
| 7 #include "base/numerics/safe_conversions.h" |
| 8 #include "base/strings/string_split.h" |
| 9 #include "base/strings/string_util.h" |
| 10 #include "base/threading/thread_local_storage.h" |
| 11 #include "third_party/icu/source/common/unicode/schriter.h" |
| 12 #include "third_party/icu/source/common/unicode/unistr.h" |
| 13 #include "third_party/icu/source/i18n/unicode/regex.h" |
| 14 #include "third_party/icu/source/i18n/unicode/uspoof.h" |
| 15 |
| 16 namespace url_formatter { |
| 17 |
| 18 namespace { |
| 19 base::ThreadLocalStorage::StaticSlot tls_index = TLS_INITIALIZER; |
| 20 |
| 21 void OnThreadTermination(void* regex_matcher) { |
| 22 delete reinterpret_cast<icu::RegexMatcher*>(regex_matcher); |
| 23 } |
| 24 |
| 25 } // namespace |
| 26 |
| 27 IDNSpoofChecker::IDNSpoofChecker() { |
| 28 UErrorCode status = U_ZERO_ERROR; |
| 29 checker_ = uspoof_open(&status); |
| 30 if (U_FAILURE(status)) { |
| 31 checker_ = nullptr; |
| 32 return; |
| 33 } |
| 34 |
| 35 // At this point, USpoofChecker has all the checks enabled except |
| 36 // for USPOOF_CHAR_LIMIT (USPOOF_{RESTRICTION_LEVEL, INVISIBLE, |
| 37 // MIXED_SCRIPT_CONFUSABLE, WHOLE_SCRIPT_CONFUSABLE, MIXED_NUMBERS, ANY_CASE}) |
| 38 // This default configuration is adjusted below as necessary. |
| 39 |
| 40 // Set the restriction level to moderate. It allows mixing Latin with another |
| 41 // script (+ COMMON and INHERITED). Except for Chinese(Han + Bopomofo), |
| 42 // Japanese(Hiragana + Katakana + Han), and Korean(Hangul + Han), only one |
| 43 // script other than Common and Inherited can be mixed with Latin. Cyrillic |
| 44 // and Greek are not allowed to mix with Latin. |
| 45 // See http://www.unicode.org/reports/tr39/#Restriction_Level_Detection |
| 46 uspoof_setRestrictionLevel(checker_, USPOOF_MODERATELY_RESTRICTIVE); |
| 47 |
| 48 // Sets allowed characters in IDN labels and turns on USPOOF_CHAR_LIMIT. |
| 49 SetAllowedUnicodeSet(&status); |
| 50 |
| 51 // Enable the return of auxillary (non-error) information. |
| 52 // We used to disable WHOLE_SCRIPT_CONFUSABLE check explicitly, but as of |
| 53 // ICU 58.1, WSC is a no-op in a single string check API. |
| 54 int32_t checks = uspoof_getChecks(checker_, &status) | USPOOF_AUX_INFO; |
| 55 uspoof_setChecks(checker_, checks, &status); |
| 56 |
| 57 // Four characters handled differently by IDNA 2003 and IDNA 2008. UTS46 |
| 58 // transitional processing treats them as IDNA 2003 does; maps U+00DF and |
| 59 // U+03C2 and drops U+200[CD]. |
| 60 deviation_characters_ = icu::UnicodeSet( |
| 61 UNICODE_STRING_SIMPLE("[\\u00df\\u03c2\\u200c\\u200d]"), status); |
| 62 deviation_characters_.freeze(); |
| 63 |
| 64 // Latin letters outside ASCII. 'Script_Extensions=Latin' is not necessary |
| 65 // because additional characters pulled in with scx=Latn are not included in |
| 66 // the allowed set. |
| 67 non_ascii_latin_letters_ = |
| 68 icu::UnicodeSet(UNICODE_STRING_SIMPLE("[[:Latin:] - [a-zA-Z]]"), status); |
| 69 non_ascii_latin_letters_.freeze(); |
| 70 |
| 71 // These letters are parts of |dangerous_patterns_|. |
| 72 kana_letters_exceptions_ = icu::UnicodeSet( |
| 73 UNICODE_STRING_SIMPLE("[\\u3078-\\u307a\\u30d8-\\u30da\\u30fb-\\u30fe]"), |
| 74 status); |
| 75 kana_letters_exceptions_.freeze(); |
| 76 |
| 77 // These Cyrillic letters look like Latin. A domain label entirely made of |
| 78 // these letters is blocked as a simplified whole-script-spoofable. |
| 79 cyrillic_letters_latin_alike_ = |
| 80 icu::UnicodeSet(icu::UnicodeString("[асԁеһіјӏорԛѕԝхуъЬҽпгѵѡ]"), status); |
| 81 cyrillic_letters_latin_alike_.freeze(); |
| 82 |
| 83 cyrillic_letters_ = |
| 84 icu::UnicodeSet(UNICODE_STRING_SIMPLE("[[:Cyrl:]]"), status); |
| 85 cyrillic_letters_.freeze(); |
| 86 |
| 87 DCHECK(U_SUCCESS(status)); |
| 88 } |
| 89 |
| 90 IDNSpoofChecker::~IDNSpoofChecker() { |
| 91 uspoof_close(checker_); |
| 92 } |
| 93 |
| 94 bool IDNSpoofChecker::SafeToDisplayAsUnicode(base::StringPiece16 label, |
| 95 bool is_tld_ascii) { |
| 96 UErrorCode status = U_ZERO_ERROR; |
| 97 int32_t result = |
| 98 uspoof_check(checker_, label.data(), |
| 99 base::checked_cast<int32_t>(label.size()), NULL, &status); |
| 100 // If uspoof_check fails (due to library failure), or if any of the checks |
| 101 // fail, treat the IDN as unsafe. |
| 102 if (U_FAILURE(status) || (result & USPOOF_ALL_CHECKS)) |
| 103 return false; |
| 104 |
| 105 icu::UnicodeString label_string(FALSE, label.data(), |
| 106 base::checked_cast<int32_t>(label.size())); |
| 107 |
| 108 // A punycode label with 'xn--' prefix is not subject to the URL |
| 109 // canonicalization and is stored as it is in GURL. If it encodes a deviation |
| 110 // character (UTS 46; e.g. U+00DF/sharp-s), it should be still shown in |
| 111 // punycode instead of Unicode. Without this check, xn--fu-hia for |
| 112 // 'fu<sharp-s>' would be converted to 'fu<sharp-s>' for display because |
| 113 // "UTS 46 section 4 Processing step 4" applies validity criteria for |
| 114 // non-transitional processing (i.e. do not map deviation characters) to any |
| 115 // punycode labels regardless of whether transitional or non-transitional is |
| 116 // chosen. On the other hand, 'fu<sharp-s>' typed or copy and pasted |
| 117 // as Unicode would be canonicalized to 'fuss' by GURL and is displayed as |
| 118 // such. See http://crbug.com/595263 . |
| 119 if (deviation_characters_.containsSome(label_string)) |
| 120 return false; |
| 121 |
| 122 // If there's no script mixing, the input is regarded as safe without any |
| 123 // extra check unless it contains Kana letter exceptions or it's made entirely |
| 124 // of Cyrillic letters that look like Latin letters. Note that the following |
| 125 // combinations of scripts are treated as a 'logical' single script. |
| 126 // - Chinese: Han, Bopomofo, Common |
| 127 // - Japanese: Han, Hiragana, Katakana, Common |
| 128 // - Korean: Hangul, Han, Common |
| 129 result &= USPOOF_RESTRICTION_LEVEL_MASK; |
| 130 if (result == USPOOF_ASCII) |
| 131 return true; |
| 132 if (result == USPOOF_SINGLE_SCRIPT_RESTRICTIVE && |
| 133 kana_letters_exceptions_.containsNone(label_string)) { |
| 134 // Check Cyrillic confusable only for ASCII TLDs. |
| 135 return !is_tld_ascii || !IsMadeOfLatinAlikeCyrillic(label_string); |
| 136 } |
| 137 |
| 138 // Additional checks for |label| with multiple scripts, one of which is Latin. |
| 139 // Disallow non-ASCII Latin letters to mix with a non-Latin script. |
| 140 if (non_ascii_latin_letters_.containsSome(label_string)) |
| 141 return false; |
| 142 |
| 143 if (!tls_index.initialized()) |
| 144 tls_index.Initialize(&OnThreadTermination); |
| 145 icu::RegexMatcher* dangerous_pattern = |
| 146 reinterpret_cast<icu::RegexMatcher*>(tls_index.Get()); |
| 147 if (!dangerous_pattern) { |
| 148 // Disallow the katakana no, so, zo, or n, as they may be mistaken for |
| 149 // slashes when they're surrounded by non-Japanese scripts (i.e. scripts |
| 150 // other than Katakana, Hiragana or Han). If {no, so, zo, n} next to a |
| 151 // non-Japanese script on either side is disallowed, legitimate cases like |
| 152 // '{vitamin in Katakana}b6' are blocked. Note that trying to block those |
| 153 // characters when used alone as a label is futile because those cases |
| 154 // would not reach here. |
| 155 // Also disallow what used to be blocked by mixed-script-confusable (MSC) |
| 156 // detection. ICU 58 does not detect MSC any more for a single input string. |
| 157 // See http://bugs.icu-project.org/trac/ticket/12823 . |
| 158 // TODO(jshin): adjust the pattern once the above ICU bug is fixed. |
| 159 // - Disallow U+30FB (Katakana Middle Dot) and U+30FC (Hiragana-Katakana |
| 160 // Prolonged Sound) used out-of-context. |
| 161 // - Dislallow U+30FD/E (Katakana iteration mark/voiced iteration mark) |
| 162 // unless they're preceded by a Katakana. |
| 163 // - Disallow three Hiragana letters (U+307[8-A]) or Katakana letters |
| 164 // (U+30D[8-A]) that look exactly like each other when they're used in a |
| 165 // label otherwise entirely in Katakna or Hiragana. |
| 166 // - Disallow U+0585 (Armenian Small Letter Oh) and U+0581 (Armenian Small |
| 167 // Letter Co) to be next to Latin. |
| 168 // - Disallow Latin 'o' and 'g' next to Armenian. |
| 169 // - Disalow mixing of Latin and Canadian Syllabary. |
| 170 dangerous_pattern = new icu::RegexMatcher( |
| 171 icu::UnicodeString( |
| 172 R"([^\p{scx=kana}\p{scx=hira}\p{scx=hani}])" |
| 173 R"([\u30ce\u30f3\u30bd\u30be])" |
| 174 R"([^\p{scx=kana}\p{scx=hira}\p{scx=hani}]|)" |
| 175 R"([^\p{scx=kana}\p{scx=hira}]\u30fc|^\u30fc|)" |
| 176 R"([^\p{scx=kana}][\u30fd\u30fe]|^[\u30fd\u30fe]|)" |
| 177 R"(^[\p{scx=kana}]+[\u3078-\u307a][\p{scx=kana}]+$|)" |
| 178 R"(^[\p{scx=hira}]+[\u30d8-\u30da][\p{scx=hira}]+$|)" |
| 179 R"([a-z]\u30fb|\u30fb[a-z]|)" |
| 180 R"(^[\u0585\u0581]+[a-z]|[a-z][\u0585\u0581]+$|)" |
| 181 R"([a-z][\u0585\u0581]+[a-z]|)" |
| 182 R"(^[og]+[\p{scx=armn}]|[\p{scx=armn}][og]+$|)" |
| 183 R"([\p{scx=armn}][og]+[\p{scx=armn}]|)" |
| 184 R"([\p{sc=cans}].*[a-z]|[a-z].*[\p{sc=cans}])", |
| 185 -1, US_INV), |
| 186 0, status); |
| 187 tls_index.Set(dangerous_pattern); |
| 188 } |
| 189 dangerous_pattern->reset(label_string); |
| 190 return !dangerous_pattern->find(); |
| 191 } |
| 192 |
| 193 bool IDNSpoofChecker::IsMadeOfLatinAlikeCyrillic( |
| 194 const icu::UnicodeString& label) { |
| 195 // A shortcut of defining cyrillic_letters_latin_alike_ to include [0-9] and |
| 196 // [_-] and checking if the set contains all letters of |label_string| |
| 197 // would work in most cases, but not if a label has non-letters outside |
| 198 // ASCII. |
| 199 icu::UnicodeSet cyrillic_in_label; |
| 200 icu::StringCharacterIterator it(label); |
| 201 for (it.setToStart(); it.hasNext();) { |
| 202 const UChar32 c = it.next32PostInc(); |
| 203 if (cyrillic_letters_.contains(c)) |
| 204 cyrillic_in_label.add(c); |
| 205 } |
| 206 return !cyrillic_in_label.isEmpty() && |
| 207 cyrillic_letters_latin_alike_.containsAll(cyrillic_in_label); |
| 208 } |
| 209 |
| 210 void IDNSpoofChecker::SetAllowedUnicodeSet(UErrorCode* status) { |
| 211 if (U_FAILURE(*status)) |
| 212 return; |
| 213 |
| 214 // The recommended set is a set of characters for identifiers in a |
| 215 // security-sensitive environment taken from UTR 39 |
| 216 // (http://unicode.org/reports/tr39/) and |
| 217 // http://www.unicode.org/Public/security/latest/xidmodifications.txt . |
| 218 // The inclusion set comes from "Candidate Characters for Inclusion |
| 219 // in idenfiers" of UTR 31 (http://www.unicode.org/reports/tr31). The list |
| 220 // may change over the time and will be updated whenever the version of ICU |
| 221 // used in Chromium is updated. |
| 222 const icu::UnicodeSet* recommended_set = |
| 223 uspoof_getRecommendedUnicodeSet(status); |
| 224 icu::UnicodeSet allowed_set; |
| 225 allowed_set.addAll(*recommended_set); |
| 226 const icu::UnicodeSet* inclusion_set = uspoof_getInclusionUnicodeSet(status); |
| 227 allowed_set.addAll(*inclusion_set); |
| 228 |
| 229 // Five aspirational scripts are taken from UTR 31 Table 6 at |
| 230 // http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts . |
| 231 // Not all the characters of aspirational scripts are suitable for |
| 232 // identifiers. Therefore, only characters belonging to |
| 233 // [:Identifier_Type=Aspirational:] (listed in 'Status/Type=Aspirational' |
| 234 // section at |
| 235 // http://www.unicode.org/Public/security/latest/xidmodifications.txt) are |
| 236 // are added to the allowed set. The list has to be updated when a new |
| 237 // version of Unicode is released. The current version is 9.0.0 and ICU 60 |
| 238 // will have Unicode 10.0 data. |
| 239 #if U_ICU_VERSION_MAJOR_NUM < 60 |
| 240 const icu::UnicodeSet aspirational_scripts( |
| 241 icu::UnicodeString( |
| 242 // Unified Canadian Syllabics |
| 243 "[\\u1401-\\u166C\\u166F-\\u167F" |
| 244 // Mongolian |
| 245 "\\u1810-\\u1819\\u1820-\\u1877\\u1880-\\u18AA" |
| 246 // Unified Canadian Syllabics |
| 247 "\\u18B0-\\u18F5" |
| 248 // Tifinagh |
| 249 "\\u2D30-\\u2D67\\u2D7F" |
| 250 // Yi |
| 251 "\\uA000-\\uA48C" |
| 252 // Miao |
| 253 "\\U00016F00-\\U00016F44\\U00016F50-\\U00016F7E" |
| 254 "\\U00016F8F-\\U00016F9F]", |
| 255 -1, US_INV), |
| 256 *status); |
| 257 allowed_set.addAll(aspirational_scripts); |
| 258 #else |
| 259 #error "Update aspirational_scripts per Unicode 10.0" |
| 260 #endif |
| 261 |
| 262 // U+0338 is included in the recommended set, while U+05F4 and U+2027 are in |
| 263 // the inclusion set. However, they are blacklisted as a part of Mozilla's |
| 264 // IDN blacklist (http://kb.mozillazine.org/Network.IDN.blacklist_chars). |
| 265 // U+2010 is in the inclusion set, but we drop it because it can be confused |
| 266 // with an ASCII U+002D (Hyphen-Minus). |
| 267 // U+0338 and U+2027 are dropped; the former can look like a slash when |
| 268 // rendered with a broken font, and the latter can be confused with U+30FB |
| 269 // (Katakana Middle Dot). U+05F4 (Hebrew Punctuation Gershayim) is kept, |
| 270 // even though it can look like a double quotation mark. Using it in Hebrew |
| 271 // should be safe. When used with a non-Hebrew script, it'd be filtered by |
| 272 // other checks in place. |
| 273 allowed_set.remove(0x338u); // Combining Long Solidus Overlay |
| 274 allowed_set.remove(0x2010u); // Hyphen |
| 275 allowed_set.remove(0x2027u); // Hyphenation Point |
| 276 |
| 277 #if defined(OS_MACOSX) |
| 278 // The following characters are reported as present in the default macOS |
| 279 // system UI font, but they render as blank. Remove them from the allowed |
| 280 // set to prevent spoofing. |
| 281 // Tibetan characters used for transliteration of ancient texts: |
| 282 allowed_set.remove(0x0F8Cu); |
| 283 allowed_set.remove(0x0F8Du); |
| 284 allowed_set.remove(0x0F8Eu); |
| 285 allowed_set.remove(0x0F8Fu); |
| 286 #endif |
| 287 |
| 288 uspoof_setAllowedUnicodeSet(checker_, &allowed_set, status); |
| 289 } |
| 290 |
| 291 } // namespace url_formatter |
OLD | NEW |