[Development] Qt::CaseInsensitive comparison is not the same as toLower() comparison

Konstantin Ritt ritt.ks at gmail.com
Thu Feb 11 10:26:50 CET 2016 

2016-02-11 3:47 GMT+04:00 Thiago Macieira <thiago.macieira at intel.com>:

> On quinta-feira, 11 de fevereiro de 2016 03:00:02 PST Konstantin Ritt
> wrote:
> > >         CaseSensitive                           => no case folding, no
> > > normalisation
> > >         CaseSensitiveNormalized => no case folding, but normalised
> > >         CaseInsensitive                         => case-folded, no
> > > normalisation
> > >         CaseInsensitiveNormalized       => both
> >
> > Normalized how? C, D, KC, KD ?
>
> The choice is between K and non-K. Most likely, non-K.
>
> How it's implemented (towards C or towards D) is irrelevant.
>
> > > $ touch $'\u03bc'.txt $'\u00b5'.txt
> > > $ ls ?.txt
> > > µ.txt  μ.txt
> > >
> > > This leads to security vulnerabilities like:
> > >         QString filename = QString::fromUtf8(socket.readAll());
> > >         if (filename.compare("µ.txt", Qt::CaseInsensitive) == 0) {
> > >                 QFile f(filename);
> > >                 if (f.open(QIODevice::ReadOnly)) {
> > >                         socket.write(f.readAll());
> > >                         return true;
> > >                 }
> > >         }
> > >         return false;
> > >
> > > [Why would you compare µ case insensitively? Because it wasn't the µ I
> was
> > > concerned about, but the ".txt" part!]
> >
> > Quite synthetic use case as to me.
>
> As security issues often look like before they actually happen. Who would
> have
> guessed the circumstances of the original TOCTOU attack (flood the Linux
> kernel
> with enough data to cause cached data to be dropped)?
>
> For a concrete case (not security): an IRC client was made to join a
> channel
> with ı in the name, but then due to bugs in the client, it joined two or
> more
> (uppercase leads to I, lowercase leads to i, uppercasing again leads to İ).
> This actually happened.
>
> > Anyways, QUrl has no such issue.
>
> URLs are case-sensitive, except for two portions:
>
> a) scheme, which is limited to A-Z anyway
> b) hostnames, for which there are very specific and explicit rules about
> case-
> folding (case-folding and NFKC according to Unicode 3.2, no other)
>
> But that is exactly the issue: if URLs are case-sensitive and the file
> system
> isn't, then is /%C2%B5.txt the same as /%CE%BC.txt? According to QUrl, they
> aren't, but according to QString::compare with Qt::CaseInsensitive, they
> are.
>

BTW, *_wcsicmp* compares strings by simply converting them to their
lowercase forms.
So what you suggest? Changing Qt::CaseInsensitive string comparison to not
use casefolding and introduce more option(s) for case-folded and normalized
case-folded comparison?

Albeit that'll be a behavioral change, I think I'm ok with that.

Regards,
Konstantin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20160211/27a171c4/attachment.html>

More information about the Development mailing list