CVE-2019-9636 - Can this be exploit over the wire?
> On 5 Sep 2019, at 16:18, Random832 <random832 at fastmail.com> wrote:
Thanks for taking the time to reply.
> On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
>> The conclusion I reached is that the CVE only applies to client code
>> that allows a URL in unicode to be entered.
>> Have I missed something important in the analysis?
> While as I mentioned in my other post I'm not sure if the CVE's analysis of URL behavior is correct generally,
Agreed, would have liked to have had more details and context.
> you have missed the fact that an HTML page can provide URLs in unicode, either with the page itself encoded in UTF-8, or with whatever characters escaped as XML character references... not only as bytes in IDNA or percent-escaped hex. The same principle applies to other formats in which URLs might be interchanged as encoded unicode strings, such as JSON. The fact that accessing such a URL requires converting the non-ASCII parts to IDNA (for the domain part) or percent-escaped hex (for other parts) doesn't limit this to user input.
> <a href="https://example.com＃@bing.com">like this</a>
That gets the unicode version into the app and then the bug can be triggered.
In my case this is not a way in as the code does not parse web pages.