I just found an interesting crashing bug on OS X, using Squeak-3.6-3.app. There are probably lots of ways to replicate it, but this is how I happened to find it:
- open a Squeak image (tested on a 3.6 era image) - go to http://www.shmoo.com/idn/ in Safari. This is a demo of an exploit possible by using unicode characters in domain names to spoof well known sites. - click on the "paypal.com" link and copy the text in the URL bar - go to Squeak, select any text, and copy
Squeak crashes for me with the message: <NSCharacterConversionException> Conversion to encoding 30 failed for string "https://www.p_ypal.com/" (I inserted a _ in there to show that there's a funny char there in Terminal, but which would show up as an "a" in some email clients).
Avi
Well I couldn't recreate this, I get 'http://www.p%040ypal.com' when I paste. Not sure about your comment about doing copy in safari, then copy again in Squeak, trying both copy and paste doesn't seem to do it?
Got some more detailed steps?
Nasty exploit btw.
PS Send me the crash log (not to the list)
On Feb 7, 2005, at 1:44 PM, Avi Bryant wrote: On Feb 7, 2005, at 1:44 PM, Avi Bryant wrote:
I just found an interesting crashing bug on OS X, using Squeak-3.6-3.app. There are probably lots of ways to replicate it, but this is how I happened to find it:
- open a Squeak image (tested on a 3.6 era image)
- go to http://www.shmoo.com/idn/ in Safari. This is a demo of an
exploit possible by using unicode characters in domain names to spoof well known sites.
- click on the "paypal.com" link and copy the text in the URL bar
- go to Squeak, select any text, and copy
Squeak crashes for me with the message: <NSCharacterConversionException> Conversion to encoding 30 failed for string "https://www.p_ypal.com/" (I inserted a _ in there to show that there's a funny char there in Terminal, but which would show up as an "a" in some email clients).
Avi
-- ======================================================================== === John M. McIntosh johnmci@smalltalkconsulting.com 1-800-477-2659 Corporate Smalltalk Consulting Ltd. http://www.smalltalkconsulting.com ======================================================================== ===
I strongly suspect this is referring to the Unix VM.
- Bert -
Am 08.02.2005 um 08:46 schrieb John M McIntosh:
Well I couldn't recreate this, I get 'http://www.p%040ypal.com' when I paste. Not sure about your comment about doing copy in safari, then copy again in Squeak, trying both copy and paste doesn't seem to do it?
Got some more detailed steps?
Nasty exploit btw.
PS Send me the crash log (not to the list)
On Feb 7, 2005, at 1:44 PM, Avi Bryant wrote: On Feb 7, 2005, at 1:44 PM, Avi Bryant wrote:
I just found an interesting crashing bug on OS X, using Squeak-3.6-3.app. There are probably lots of ways to replicate it, but this is how I happened to find it:
- open a Squeak image (tested on a 3.6 era image)
- go to http://www.shmoo.com/idn/ in Safari. This is a demo of an
exploit possible by using unicode characters in domain names to spoof well known sites.
- click on the "paypal.com" link and copy the text in the URL bar
- go to Squeak, select any text, and copy
Squeak crashes for me with the message: <NSCharacterConversionException> Conversion to encoding 30 failed for string "https://www.p_ypal.com/" (I inserted a _ in there to show that there's a funny char there in Terminal, but which would show up as an "a" in some email clients).
Avi
On Monday 07 February 2005 1:44 pm, Avi Bryant wrote:
I just found an interesting crashing bug on OS X, using Squeak-3.6-3.app. There are probably lots of ways to replicate it, but this is how I happened to find it:
- open a Squeak image (tested on a 3.6 era image)
- go to http://www.shmoo.com/idn/ in Safari. This is a demo of an
exploit possible by using unicode characters in domain names to spoof well known sites.
- click on the "paypal.com" link and copy the text in the URL bar
- go to Squeak, select any text, and copy
Squeak crashes for me with the message: <NSCharacterConversionException> Conversion to encoding 30 failed for string "https://www.p_ypal.com/" (I inserted a _ in there to show that there's a funny char there in Terminal, but which would show up as an "a" in some email clients).
Using the 3.6g-3 Unix VM in Linux, and a 3.8 image, FWIW:
With the default -textenc setting (ISO8859-1):
Pasting results in a '\u0430' for that character (that is, 6 characters appear for the one Unicode 0x0430 character).
The string looks like this when pasted into a Workspace:
With -textenc UTF-8 (which is allegedly the default for Mac OS X) I get this:
In other words, the character gets translated into a question mark.
In both cases, I can copy the text OK, of course.
The link text is: http://www.p%D0%B0ypal.com/
So anyhow, on the Unix VMs that use iconv it seems to work (well, it doesn't crash, anyway).
squeak-dev@lists.squeakfoundation.org