From 7c2cbc445a81424c7df48ebe61ec4d0dcadd5dff Mon Sep 17 00:00:00 2001 From: mgiuca Date: Tue, 23 Jun 2015 20:59:47 -0700 Subject: Added characters that look like padlocks to URL unescaping blacklist. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This blacklists the following Unicode characters: - U+1F50F LOCK WITH INK PEN - U+1F510 CLOSED LOCK WITH KEY - U+1F512 LOCK - U+1F513 OPEN LOCK This prevents LOCK characters from appearing in a URL in the Chrome UI, potentially looking like an SSL padlock icon (e.g., "google.com/🔒" is now displayed as "google.com/%F0%9F%94%92"). This presented a spoofing risk due to a few complications: 1. In RTL mode, the end of the URL (path/query) is aligned right up against the right edge of the Omnibox, where the SSL padlock is usually displayed. 2. On Mac, ChromeOS, and Android, LOCK characters are displayed in colour, making them more convincing. Note: These characters will still be unescaped when using the SPOOFING_AND_CONTROL_CHARS unescape rule (used for decoding data URLs, previously known as CONTROL_CHARS). BUG=495934,421332 TBR=jam@chromium.org Review URL: https://codereview.chromium.org/1180393003 Cr-Commit-Position: refs/heads/master@{#335870} --- storage/common/fileapi/file_system_util.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'storage/common') diff --git a/storage/common/fileapi/file_system_util.cc b/storage/common/fileapi/file_system_util.cc index f67c864..98b6cc8 100644 --- a/storage/common/fileapi/file_system_util.cc +++ b/storage/common/fileapi/file_system_util.cc @@ -182,7 +182,7 @@ bool ParseFileSystemSchemeURL(const GURL& url, std::string path = net::UnescapeURLComponent(url.path(), net::UnescapeRule::SPACES | net::UnescapeRule::URL_SPECIAL_CHARS | - net::UnescapeRule::CONTROL_CHARS); + net::UnescapeRule::SPOOFING_AND_CONTROL_CHARS); // Ensure the path is relative. while (!path.empty() && path[0] == '/') -- cgit v1.1