https://bugs.documentfoundation.org/show_bug.cgi?id=97438
Bug ID: 97438
Summary: URLs are not escaped by Punycode and are susceptible
to IDN attacks
Product: LibreOffice
Version: 5.0.4.2 release
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: [email protected]
Reporter: [email protected]
LibreOffice does not seem to use Punycode to escape unsafe URLS. For example:
http://asĸ.com
http://ask.com
The first url is not the same as the second. It uses "ĸ" instead of "k".
This shows up with mouse over tool tips, and ctrl+click to open events.
This ODT file demonstrates the problem:
https://github.com/SoftwareAddictionShow/IDN-homograph-attack/blob/master/examples/idn_attack_example.odt
Sorry if this has already been reported. I have looked for a few days, and not
found any related bugs.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
