On 26/02/09 11:49, Jean-Marc Desperrier wrote:
What's truly broken is that the current i18n attack protection relies on the checking done by the registrar/IDN, and that the registrar/IDN can only check the second-level domain name component.
Actually, our protection had a bug (that is, there were some characters not on our blacklist which should have been). But it's not true that there was no protection.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
