From 6a10ce377cc4bd7ffa5de1651d29db21116f195a Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Mon, 12 Oct 2015 22:44:16 -0700 Subject: [PATCH 1/2] Updating URL Regex The old URL regex had a few issues which were revealed by fuzzing, the biggest being that it accepted non-printable characters (e.g. 0x00 or 0x01) as part of the URL. This created the scenario where a url of https://example.com/[0x00] would be rendered as %2 (and attempting to open the link would give a value like "https://example.com https://example.com " due to some odd iteraction with the regex that I haven't quite worked out. The new regex appears to work with all the iterations I have tried and rejects non-printable characters. --- src/ui/LinkedText.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/LinkedText.cpp b/src/ui/LinkedText.cpp index ecb2f156..bdc31127 100644 --- a/src/ui/LinkedText.cpp +++ b/src/ui/LinkedText.cpp @@ -41,7 +41,7 @@ LinkedText::LinkedText(QObject *parent) : QObject(parent) { // Select things that look like URLs of some kind and allow QUrl::fromUserInput to validate them - linkRegex = QRegularExpression(QStringLiteral("([a-z]{3,9}:|www\\.)([^\\s,.);!>]|[,.);!>](?!\\s|$))+"), QRegularExpression::CaseInsensitiveOption); + linkRegex = QRegularExpression(QStringLiteral("([a-z]{3,9}:|www\\.)((([\\p{L}\\p{N}\\?#/~=]+)|([\\-\\._:&%][^\\p{Zs}])+)+)"), QRegularExpression::CaseInsensitiveOption); allowedSchemes << QStringLiteral("http") << QStringLiteral("https") From c62a7d10edb7e9f7534807dada5291b79c30ba84 Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Sun, 8 Nov 2015 16:30:09 -0800 Subject: [PATCH 2/2] Prevents Bidi Phishing Prevent attempts at phishing through unicode direction controls by forcing left-to-right display for links through html entity ‪ This is a fairly minor risk as a victim would have to go through many hoops and not see the obvious url issues. But better fixed than not. --- src/ui/LinkedText.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ui/LinkedText.cpp b/src/ui/LinkedText.cpp index bdc31127..7f5294a5 100644 --- a/src/ui/LinkedText.cpp +++ b/src/ui/LinkedText.cpp @@ -64,7 +64,12 @@ QString LinkedText::parsed(const QString &input) if (start > p) re.append(input.mid(p, start - p).toHtmlEscaped().replace(QLatin1Char('\n'), QStringLiteral("
"))); - re.append(QStringLiteral("%2").arg(QString::fromLatin1(url.toEncoded()).toHtmlEscaped()).arg(match.capturedRef().toString().toHtmlEscaped())); + + // Surround link with ‪ (LEFT-TO-RIGHT EMBEDDING) and ‬ (POP DIRECTIONAL FORMATTING ) + // this will force URI's to be rendered left to right, while preserving the direction of the overall + // text. This prevents phising attacks where the attacker tries obscure the URI by using unicode + // bidi control characters. + re.append(QStringLiteral("‪%2‬").arg(QString::fromLatin1(url.toEncoded()).toHtmlEscaped()).arg(match.capturedRef().toString().toHtmlEscaped())); p = match.capturedEnd(); }