[Development] Qt::CaseInsensitive comparison is not the same as toLower() comparison

Thiago Macieira thiago.macieira at intel.com
Thu Feb 11 00:47:32 CET 2016 

On quinta-feira, 11 de fevereiro de 2016 03:00:02 PST Konstantin Ritt wrote:
> >         CaseSensitive                           => no case folding, no
> > normalisation
> >         CaseSensitiveNormalized => no case folding, but normalised
> >         CaseInsensitive                         => case-folded, no
> > normalisation
> >         CaseInsensitiveNormalized       => both
> 
> Normalized how? C, D, KC, KD ?

The choice is between K and non-K. Most likely, non-K.

How it's implemented (towards C or towards D) is irrelevant.

> > $ touch $'\u03bc'.txt $'\u00b5'.txt
> > $ ls ?.txt
> > µ.txt  μ.txt
> > 
> > This leads to security vulnerabilities like:
> >         QString filename = QString::fromUtf8(socket.readAll());
> >         if (filename.compare("µ.txt", Qt::CaseInsensitive) == 0) {
> >                 QFile f(filename);
> >                 if (f.open(QIODevice::ReadOnly)) {
> >                         socket.write(f.readAll());
> >                         return true;
> >                 }
> >         }
> >         return false;
> > 
> > [Why would you compare µ case insensitively? Because it wasn't the µ I was
> > concerned about, but the ".txt" part!]
> 
> Quite synthetic use case as to me.

As security issues often look like before they actually happen. Who would have 
guessed the circumstances of the original TOCTOU attack (flood the Linux kernel 
with enough data to cause cached data to be dropped)?

For a concrete case (not security): an IRC client was made to join a channel 
with ı in the name, but then due to bugs in the client, it joined two or more 
(uppercase leads to I, lowercase leads to i, uppercasing again leads to İ). 
This actually happened.

> Anyways, QUrl has no such issue.

URLs are case-sensitive, except for two portions:

a) scheme, which is limited to A-Z anyway
b) hostnames, for which there are very specific and explicit rules about case-
folding (case-folding and NFKC according to Unicode 3.2, no other)

But that is exactly the issue: if URLs are case-sensitive and the file system 
isn't, then is /%C2%B5.txt the same as /%CE%BC.txt? According to QUrl, they 
aren't, but according to QString::compare with Qt::CaseInsensitive, they are.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

More information about the Development mailing list