"Hostname" and "webAddress" printed in punycode instead of unicode (IDN) #109

New Issue

Closed

opened 2026-01-19 18:29:00 +00:00 by michael · 5 comments

michael commented 2026-01-19 18:29:00 +00:00

Owner

Copy Link

Originally created by @cr-sh on GitHub.

Hey there,
in order to use this software with intertionalized domain names (IDN) is auspicable to print unicode instead of punycode.

you can see a live example here -> https://краш.мкд

Originally created by @cr-sh on GitHub. Hey there, in order to use this software with intertionalized domain names (IDN) is auspicable to print unicode instead of punycode. you can see a live example here -> https://краш.мкд

michael closed this issue 2026-01-19 18:29:00 +00:00

michael commented 2026-01-19 18:29:00 +00:00

Author

Owner

Copy Link

@cr-sh commented on GitHub:

Ciao Andrea,

you have just redefined the concept of security through obscurity, taking it to the next level: security through obstructionism! LOL 🌚

I'm a legit security researcher stuck in the light side of the force; BTW I well know the bad guys, and I can assure you that, if this were a really useful change for their evil purposes, they would have edited those four lines themself, keeping this change private.

Anyway, probably these days I would have done better to link you to an example domain in Japanese Kanji instead of Macedonian Cyrillic, my fault.

Have a nice day, and thank you for maintaining transfersh, I'm totally in love with this project since the day-zero.

@cr-sh commented on GitHub: Ciao Andrea, you have just redefined the concept of security through obscurity, taking it to the next level: security through obstructionism! LOL 🌚 I'm a legit security researcher stuck in the light side of the force; BTW I well know the bad guys, and I can assure you that, if this were a really useful change for their evil purposes, they would have edited those four lines themself, keeping this change private. Anyway, probably these days I would have done better to link you to an example domain in Japanese Kanji instead of Macedonian Cyrillic, my fault. Have a nice day, and thank you for maintaining transfersh, I'm totally in love with this project since the day-zero.

michael commented 2026-01-19 18:29:00 +00:00

Author

Owner

Copy Link

@cr-sh commented on GitHub:

Oh, I'm sorry if I looked rude, it was not my intention, at all. As I did say before I have a lot of respect and appreciation for your work on maintaining this code, I can't thank you enough for that. 🙏

Concrete IDN homograph attacks are almost history of the past, since mixing latin with non-latin alphabets is now forbidden at registry-level for the most TLDs, .org was among the first, so you are good to go 😅 with *.golang.org

Anyway, as I had initially thought, instead of a broad “punycode to unicode” migration in the whole project, a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress”. But I'm probably missing something as I'm not very fluent in go, sadly.

Again thank you for your time / precious effort in opensource projects, and forgive my twisted irony.

@cr-sh commented on GitHub: Oh, I'm sorry if I looked rude, it was not my intention, at all. As I did say before I have a lot of respect and appreciation for your work on maintaining this code, I can't thank you enough for that. 🙏 Concrete IDN homograph attacks are almost history of the past, since mixing latin with non-latin alphabets is now forbidden at registry-level for the most TLDs, .org was among the first, so you are good to go 😅 with *.golang.org Anyway, as I had initially thought, instead of a broad “punycode to unicode” migration in the whole project, a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress”. But I'm probably missing something as I'm not very fluent in go, sadly. Again thank you for your time / precious effort in opensource projects, and forgive my twisted irony.

michael commented 2026-01-19 18:29:00 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

ciao @cr-sh

there's no security through obscurity neitehr through obstructionism: it's simply a concern similar to the one here https://github.com/golang/go/issues/20210

forcing the punycode will prevent transfer.gοlang.org to look like transfer.golang.go

I explained my doubt because the content of your github profile made me think, I never implied that your usage would be malicious

please, refrain to replay with rudeness that's against the code of conduct of the project

@paolafrancesca commented on GitHub: ciao @cr-sh there's no security through obscurity neitehr through obstructionism: it's simply a concern similar to the one here https://github.com/golang/go/issues/20210 forcing the punycode will prevent `transfer.gοlang.org` to look like `transfer.golang.go` I explained my doubt because the content of your github profile made me think, I never implied that your usage would be malicious please, refrain to replay with rudeness that's against the code of conduct of the project

michael commented 2026-01-19 18:29:00 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress”

https://github.com/dutchcoders/transfer.sh/pull/486

@paolafrancesca commented on GitHub: > a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress” https://github.com/dutchcoders/transfer.sh/pull/486

michael commented 2026-01-19 18:29:00 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

I initially created a branch for adding what seems to be a missing feature for legit users

anyway looking at the content of your github profile, @cr-sh , made me think that such feature could be a high vehicle of attacks

so I'm quite favourable to keep as it is.

what do you think @stefanbenten ?

@paolafrancesca commented on GitHub: I initially created a branch for adding what seems to be a missing feature for legit users anyway looking at the content of your github profile, @cr-sh , made me think that such feature could be a high vehicle of attacks so I'm quite favourable to keep as it is. what do you think @stefanbenten ?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/golang.org/x/net-0.38.0

revert-646-main

dependabot/go_modules/golang.org/x/oauth2-0.27.0

check-ci-20241026

aspacca-patch-1

seed-rand

fix-basic-auth

fix-header-map-change-after-writeheader-call

issue-503

issue-487

gpg-encryption-support

lint-accept-range

bump-min-go-version-and-include-tip

accept-range

local-google-fonts

parallel-range-requests

issue-485

sb/storj-bump

fix-perform-clamav-prescan

revert-389-clamav-prescan

clamav-prescan

changes-in-front-end

ISSUE-440

revert-422-main

master

golint

ISSUE-398

multiple-fixes

ISSUE-382-take2

ISSUE-382

fix-workflows

fixes-20210521

ISSUE-371

ISSUE-38-WEB

ISSUE-313

ISSUE-296

fuzz

BINARY-RELEASES

ISSUE-256

v1.6.1

v1.6.0

v1.5.0

v1.4.0

v1.3.1

v1.3.0

v1.2.6

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

bug

docker

enhancement

hacktoberfest

help wanted

invalid

question

storage provider

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#109