After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 567871 - missing idn / punycode support
missing idn / punycode support
Status: RESOLVED FIXED
Product: gvfs
Classification: Core
Component: ftp backend
1.1.x
Other All
: Normal minor
: ---
Assigned To: gvfs-maint
gvfs-maint
Depends on: 548287
Blocks:
 
 
Reported: 2009-01-15 16:13 UTC by Daniel Nögel
Modified: 2009-06-11 07:55 UTC
See Also:
GNOME target: ---
GNOME version: 2.23/2.24



Description Daniel Nögel 2009-01-15 16:13:35 UTC
Nautilus supports opening (s)ftp uris. But support for IDN domains is missing for that one has to enter the decoded uri all the time which is kind of annoying.
Insted of ftp://jörg-müller.de one would have to enter ftp://xn--jrg-mller-07a4e.de.
As far as I know there is already gnu idnlib so why not using it?

Greetings,

Daniel

Other information:
Comment 1 Cosimo Cecchi 2009-01-22 19:46:26 UTC
-> gvfs/ftp

AFAICS this should be done inside GVfs.
Comment 2 Andreas Henriksson 2009-01-23 10:15:04 UTC
If we're going to push this down the stack; libsoup does resolving for the ftp backend. 
I don't know if it's wise to push punycode that far down in the stack though. Punycode is an application, rather then protocol, invention and should probably be kept close to the displaying application (if nothing else, only to give it chance to do anti-phishing things - since unicode contains visually identical characters to many normal ascii characters the user needs to be alerted when punycode is being used).

.... alex seems to agree, from the irc discussion:

11:07 < alex> i'm not sure it should be done in gvfs
11:08 < alex> there are all sorts of security issues with it
11:08 < alex> and i don't think such uris are quite uris
11:09 < alex> Maybe g_file_parse_name() could use it
11:09 < fatal> the application displaying the url should probably handle it....
11:09 < fatal> so that they can do as firefox and show the user that it'll be
               converted to a scary xn-- address..
11:09 < alex> I think especially troublesome is displaying the unicode version,
              yes
11:10 < alex> anyway, the async resolver patch has some code for this
11:10 < alex> http://bugzilla.gnome.org/show_bug.cgi?id=548466
...
11:16 < alex> Well, don't take these words as final
11:16 < alex> it requires careful thought, that is all
Comment 3 Andreas Henriksson 2009-04-23 12:06:56 UTC
Just a heads up...

As previously mentioned the ftp backend uses libsoup for resolvning hostnames (amoung other things). Now libsoup is apparently about to be ported over to the new gresolver (just merged into glib development branch) which should handle IDN, all according to: http://mysterion.org/~danw/blog/2009/04/gresolver

That should solve this bug (on the backend side) and applications (nautilus) will need to start worrying about how they are going to solve the needed anti-phishing enhancements that need to go hand in hand with IDN-support.

Comment 4 Dan Winship 2009-04-23 14:35:03 UTC
(In reply to comment #3)
> That should solve this bug (on the backend side) and applications (nautilus)
> will need to start worrying about how they are going to solve the needed
> anti-phishing enhancements that need to go hand in hand with IDN-support.

Sigh. This was supposed to be fixed at the registrar level *years* ago (by the registrars not letting you register names with potentially-confusing/evil mixes of scripts) but apparently it's not... At any rate, it's worth noting that no one actually bothers to attempts IDN homograph attacks, because it's so easy to get users to click on http://bankofamerica.not-really-im-going-to-steal-all-your-money.com.

we should probably just add a g_hostname_is_phishy() to ghostutils.c i guess...
Comment 5 Benjamin Otte (Company) 2009-06-11 07:55:11 UTC
This apparently works now after the switch to gnio. At least it connects to ftp.kindermöbelladen.de fine here.