How dangerous is allow_utf8_titles?

66 views
Skip to first unread message

daltong defourne

unread,
Feb 5, 2017, 8:37:42 PM2/5/17
to qubes-devel
Hi!
Working with lots of non-english text and sites now. The substitution thing is becoming a bit too much to bear.

How dangerous would using allow_utf8_titles be?
Are risks limited to homographs or is there a risk of something fancier happening, like, I dunno, GUI-daemon exploit (hypothetically) ?

Is there any sanitizing happening if allow_utf8_titles is activated ?

Marek Marczykowski-Górecki

unread,
Feb 5, 2017, 9:51:20 PM2/5/17
to daltong defourne, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Feb 05, 2017 at 05:37:42PM -0800, daltong defourne wrote:
> Hi!
> Working with lots of non-english text and sites now. The substitution thing
> is becoming a bit too much to bear.
>
> How dangerous would using allow_utf8_titles be?
> Are risks limited to homographs or is there a risk of something fancier
> happening, like, I dunno, GUI-daemon exploit (hypothetically) ?

It's mostly about (unknown) attack vector on window manager - title
rendering and such. As we know from Apple world, strange things may
happen here.

> Is there any sanitizing happening if allow_utf8_titles is activated ?

Yes, we do verify if the title is correct UTF-8 sequence. Also, ASCII
control characters are still disallowed. But nothing more.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYl+SjAAoJENuP0xzK19csLYoH/0GzsPVYtmcXl8HpuHxR6iNV
2zeidlvHtGjkImiZgVxaHhh+cOpfP3iePVVvNWi/KCpP4UzwNEhN0u73hPsBErqH
VZMrfB8bW3nrl1Nitib7qRlV9dYFWoZyIqbuuxgBW3fdq8Sd/lxuchqpi6d7FPc/
60OW1lx5+K9hWXnqayfyL8YlOblPSBP8XFfrnAWkcZH/pxy4/fyx3fxA5GqfosIm
+mqccJ6kveof65tuvWtfXRhpTyAMjetFmNrGFv5yVGXHC1uytxan12u1SSn4gIZD
7pefRvsyscVtWRUXvl0UoUwm8w4wk4yK7BK2DXdE4JQPSnzljA8bJJQkE4TTvbo=
=+3gW
-----END PGP SIGNATURE-----

Radoslaw Szkodzinski

unread,
Feb 6, 2017, 4:49:33 AM2/6/17
to Marek Marczykowski-Górecki, daltong defourne, qubes-devel
On Mon, Feb 6, 2017 at 3:51 AM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> On Sun, Feb 05, 2017 at 05:37:42PM -0800, daltong defourne wrote:
>> Hi!
>> Working with lots of non-english text and sites now. The substitution thing
>> is becoming a bit too much to bear.
>>
>> How dangerous would using allow_utf8_titles be?
>> Are risks limited to homographs or is there a risk of something fancier
>> happening, like, I dunno, GUI-daemon exploit (hypothetically) ?
>
> It's mostly about (unknown) attack vector on window manager - title
> rendering and such. As we know from Apple world, strange things may
> happen here.
>
>> Is there any sanitizing happening if allow_utf8_titles is activated ?
>
> Yes, we do verify if the title is correct UTF-8 sequence. Also, ASCII
> control characters are still disallowed. But nothing more.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab

It all depends on what the window manager is doing - it can handle
ASCII in an insecure way as well, e.g. to support bells or ANSI color
codes.

The main risk is of homograph attacks - strings that look but aren't the same.
The validator could be extended to provide a warning about a known set
of lookalike characters outside a chosen locale(s), e.g. by adding an
extra string prefix.

Some of the homographs are available in ASCII as well (0,1, o, O, i,
l, I) and are only possible to catch using dictionaries.
Of course such a defense would likely be fallible.

Best regards,
--
Radosław Szkodziński

Vít Šesták

unread,
Feb 9, 2017, 3:45:13 AM2/9/17
to qubes-devel
Characters like “–” seem to be also disallowed. I also haven't succeeded with RTL-related characters like \202e.

Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages