Bug 97438 - URLs are not escaped by Punycode and are susceptible to IDN attacks
Summary: URLs are not escaped by Punycode and are susceptible to IDN attacks
Status: NEEDINFO
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: high major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks: Hyperlink
  Show dependency treegraph
 
Reported: 2016-01-29 16:05 UTC by Matthew Jones
Modified: 2024-01-26 07:15 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Jones 2016-01-29 16:05:18 UTC
LibreOffice does not seem to use Punycode to escape unsafe URLS. For example:

http://asĸ.com

http://ask.com

The first url is not the same as the second. It uses "ĸ" instead of "k".

This shows up with mouse over tool tips, and ctrl+click to open events.

This ODT file demonstrates the problem:
https://github.com/SoftwareAddictionShow/IDN-homograph-attack/blob/master/examples/idn_attack_example.odt

Sorry if this has already been reported. I have looked for a few days, and not found any related bugs.
Comment 1 Buovjaga 2016-02-09 11:21:36 UTC
Confirmed.

https://en.wikipedia.org/wiki/Punycode

Win 7 Pro 64-bit Version: 5.2.0.0.alpha0+
Build ID: 76ec54e8c9f3580450bca85236a4f5af0c328588
CPU Threads: 4; OS Version: Windows 6.1; UI Render: default; 
TinderBox: Win-x86@39, Branch:master, Time: 2016-02-09_00:10:35
Locale: fi-FI (fi_FI)
Comment 2 Xisco Faulí 2017-09-29 08:50:35 UTC Comment hidden (obsolete)
Comment 3 eisa01 2019-11-03 16:29:01 UTC
Still present

Version: 6.4.0.0.alpha1+
Build ID: 80109586e6cb6d3e2e0a53a9079c3125ec9b8368
CPU threads: 4; OS: Mac OS X 10.14.6; UI render: default; VCL: osx; 
Locale: en-US (en_US.UTF-8); UI-Language: en-US
Calc: threaded
Comment 4 QA Administrators 2021-11-03 04:31:44 UTC Comment hidden (obsolete)
Comment 5 QA Administrators 2023-11-04 03:15:00 UTC Comment hidden (obsolete)
Comment 6 Matt K 2023-12-15 03:25:12 UTC
When I try to click the link for the incorrect "ask.com" in doc given in comment 0, it opens the Microsoft Edge web browser and tries to connect to http://xn--as-3pa.com/, which is the puny code translation.  So, it seems like it's up to the browser to handle these types of links, not LO.  Can you confirm this, or be more specific about how an attack scenario would look like?
Comment 7 AtifAli 2024-01-26 07:15:52 UTC Comment hidden (spam)