Bug 141113 - konqueror fails to properly handle IDN addresses
Summary: konqueror fails to properly handle IDN addresses
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: unspecified Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-02-03 09:36 UTC by Arkadiusz Miskiewicz
Modified: 2008-06-11 17:25 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arkadiusz Miskiewicz 2007-02-03 09:36:18 UTC
Version:            (using KDE KDE 3.5.6)
Installed from:    Unlisted Binary Package
Compiler:          4.2.0 
OS:                Linux

libidn-0.6.8-2.i686

trying to open http://www.żółw.pl/ makes konqueror fail and url in address bar changes to:
http://www.zó?w.pl

+ message:
,,Wystąpił błąd podczas wczytywania http://www.zó?w.pl:
Nieznany serwer www.zó''
Comment 1 FiNeX 2008-06-01 23:56:47 UTC
clicking on that URL, konqueror try to load:
http://www.?%C3%B3?w.pl
which throws an error.

The same happens with firefox. Need I some special char encoding for reproduce this bug?
Comment 2 Arkadiusz Miskiewicz 2008-06-02 00:03:56 UTC
$ host www.żółw.pl
www.żółw.pl has address 213.180.128.160

works with firefox for me and still doesn't work with konqueror (3.5.9)

Try iso8859-2 maybe.
Comment 3 FiNeX 2008-06-02 00:37:28 UTC
Thanks Arkadiusz!
konqueror 3.5.9 cannot load the page. Konqueror 4 (from trunk) is able to load it, but it change the address to:
  http://www.xn--w-uga1v8h.pl/
Comment 4 Maksim Orlovich 2008-06-02 03:17:15 UTC
Why confirm it if it's fixed?
Comment 5 Arkadiusz Miskiewicz 2008-06-02 07:06:56 UTC
So bugs about 3.5 series are ignored by KDE team now - correct?
Comment 6 FiNeX 2008-06-02 10:20:26 UTC
@Marksim: because using konqueror 4 the page is loaded but the URL in the address bar is changed, is it right?
Comment 7 A. Spehr 2008-06-02 11:53:30 UTC
 Arkadiusz: Not ignored, we want to make sure the same bugs don't exist in 4. But in some cases entire frameworks have been rewritten. Trying to have developers bugfix three branches (3.5.x, stable branch, trunk) while still adding features is unlikely to happen... 
Comment 8 Maksim Orlovich 2008-06-02 17:57:34 UTC
URL changing is deliberate, and prevents a security attack. W/o the changing, you may not be able to tell apart these two different URLs:

bank.pl
bаnk.pl (aka http://xn--bnk-6cd.pl)

The .pl domain administrator isn't in Qt's list of registrars that have policies in place to prevent this attack, so the raw name of the domain is displaye.d
Comment 9 FiNeX 2008-06-02 18:17:18 UTC
Ok, thanks Maksim! :-)
Comment 10 Stéphane Bortzmeyer 2008-06-11 11:47:23 UTC
> The .pl domain administrator isn't in Qt's list of registrars that have policies > in place to prevent this attack

Were can we find this list? How is it managed? (NASK, the ".pl" domain registry is not a registrar)

(It is very questionable that browsers decide what registry policy is or is not acceptable.)
Comment 11 Maksim Orlovich 2008-06-11 17:25:58 UTC
In the case of KDE4, it's managed by TrollTech, as it's part of Qt (src/corelib/io/qurl.cpp)

The current whitelist is: 

ac
at
br
cat
ch
cl
cn
de
dk
fi
gr
hu
info
io
is
jp
kr
li
lt
museum
no
org
se
sh
th
tm
tw
vn

And questionable or not, would you rather we left known security holes in there?