Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-95597

QUrl: Outdated TLD whitelist hinders IDN usage

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P2: Important
    • None
    • 6.2.0 Beta2
    • Core: URL Handling
    • None

    Description

      QUrl implementation is using whitelist of TLDs that are allowed to have internationalized domain names (idn_whitelist). It currently has 61 entries. Quick look at the Wikipedia (https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains) shows much more TLDs that support IDN. Wikipedia claims "As of March 2021, the IANA root database includes 1589 TLDs", and it looks like at least half of them support IDNs (even those as listed as ones that don't, like xn--ls8h.la which works in Safari at least). There is also significant amount of TLDs containing non-ASCII characters themselves.

      Having an outdated list of TLDs makes IDN implementation in Qt much less useful. The documentation for setIdnWhitelist has this reason for having the whitelist:

        Qt comes with a default list that contains the Internet top-level domains
      that have published support for Internationalized Domain Names (IDNs)
      and rules to guarantee that no deception can happen between similarly-looking
      characters (such as the Latin lowercase letter \c 'a' and the Cyrillic
      equivalent, which in most fonts are visually identical).

      This list is periodically maintained, as registrars publish new rules.

      The second paragraph is obviously untrue. I claim that the first one is too. Having the whitelist does nothing against the similar looking domain names attack. Those Cyrillic characters are still allowed in .com domain for example, where most of the targets would be. UTS #46 (modern version of IDNA) suggest using other mechanisms, such as those described in UTS #39.

      Instead of trying to update the list (from what source?) and have it obsolete before the next Qt release with current rate of TLD registrations, I propose to deprecate QUrl::setIdnWhitelist() and QUrl::idnWhitelist(), ignore the whitelist in the rest of QUrl code, and direct users to other security measures. Perhaps in the future versions Qt could provide some API for those measures, perhaps in a separate module using ICU.

      Attachments

        Activity

          People

            thiago Thiago Macieira
            ievgenii.meshcheriakov Ievgenii Meshcheriakov
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: