Closed
Description
Expected Behavior
- Google fallback should use https.
- Non-ASCII domains need to be %-encoded when constructing the google fallback url because they are url query string parameters. For example, http://💩.la. QUrlQuery::addQueryItem(?
- Internationalized domain names are converted to Punycode by browsers before making requests to the domain. I believe QUrl does this but am not sure. Tests needed?
Current Behavior
- Google fallback is an http endpoint
- Non-ASCII domains fail to fetch favicons from google fallback
Possible Solution
Steps to Reproduce (for bugs)
- Create a new entry with http://💩.la as the URL
- Click on the "Icon" icon
- Click download favicon
- Observe error popup
Context
Debug Info
KeePassXC - Version 2.2.0
Revision: caa49a8
Libraries:
- Qt 5.9.0
- libgcrypt 1.7.7
Operating system: macOS Sierra (10.12)
CPU architecture: x86_64
Kernel: darwin 16.6.0
Enabled extensions:
- KeePassHTTP
- Auto-Type
- YubiKey
Metadata
Assignees
Labels
No labels
Activity
lopopolo commentedon Jul 2, 2017
This could be considered a security issue because the current 2.2.0 leaks (all?) sites in a password database to the network
phoerious commentedon Jul 2, 2017
Downloading a favicon leaks at least the destination server anyway, even when using https (just not the hostname and URL). Also when you add http URLs, they will be called first before any Google fallback (even if that is https). I'll prepare a patch, though.
TheZ3ro commentedon Jul 2, 2017
This will only leaks website you download the favicon for (obviously). I was already planning to fixing google fallback to https for #719
lopopolo commentedon Jul 2, 2017
Ahh yes, I forgot about SNI. Apologies for being overly dramatic.
droidmonkey commentedon Jul 2, 2017
There is nothing particularly sensitive in a domain name, and there is nothing saying the request is coming from a password manager. Favicon lookups is a VERY common transaction.
TheZ3ro commentedon Jul 3, 2017
The
QUrl
behavior seems a little bit strange here.Outputs for various punycode url:
Also, there was this bug https://bugreports.qt.io/browse/QTBUG-60364
phoerious commentedon Feb 27, 2018
I tested both raw emoji and punycode domains with our new cURL backend and it seems to work now.