Details
-
Bug
-
Resolution: Done
-
P2: Important
-
6.2.0 Beta2
-
None
-
fe9ddbe197d6ce4ff2634415c621c8fd9fe5810a (qt/qtbase/dev) e4c90e81fe1cd34bd28bd4b21e4b8461e83e8525 (qt/qtbase/6.2)
-
Qt6_Foundation_Sprint 39, Qt6_Foundation_Sprint 40
Description
The Punycode decoding in Qt seems to be missing overflow handling that allows different normalized URLs to be decoded to the same Unicode string without errors:
qDebug() << QUrl::fromAce("xn--5p32g.com"); // "a.com"
This should not be allowed:
% idn --idna-to-unicode xn--5p32g.com xn--5p32g.com % idn2 --decode xn--5p32g.com idn2: decode: string contains invalid punycode data
This particular test case does not work anymore with https://codereview.qt-project.org/c/qt/qtbase/+/363213 applied, but the bug is still there:
qDebug() << QUrl::fromAce("xn--400595c.com"); // "U+10300.com" (the same as "xn--097c.com", the code is escaped because of Jira limitations)
% idn --idna-to-unicode xn--400595c.com xn--400595c.com
The fix is slightly more complicated than adding the range check because of how the code is organized.
The following code was used to generate the test vectors:
from encodings import punycode # xn--5p32g.com == a.com code = 0x61; i = 1 # xn--400595c.com == xn--097c.com # code = 67175168; i = 0 digit = 1114112 * i - 128 + code deltas = [digit] extended = punycode.generate_integers(0, deltas) print(f'xn--{extended.decode()}')
Attachments
Issue Links
- relates to
-
-
- Reported
-