From 598038643f483eabe788d4910bea5d1518ee0015 Mon Sep 17 00:00:00 2001
From: Lars Ingebrigtsen <larsi@gnus.org>
Date: Wed, 19 Jan 2022 15:52:20 +0100
Subject: [PATCH] Mark whole-script confusables as suspicious domains

* lisp/international/textsec.el (textsec-domain-suspicious-p):
Consider domain names that are whole-script confusables with ASCII
to be suspicious.  (I think this is what the Unicode standard is
recommending, but I'm not 100% sure.)
---
 lisp/international/textsec.el            | 8 +++++++-
 test/lisp/international/textsec-tests.el | 5 ++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lisp/international/textsec.el b/lisp/international/textsec.el
index d861685f0b1..63860d22508 100644
--- a/lisp/international/textsec.el
+++ b/lisp/international/textsec.el
@@ -245,8 +245,14 @@ or use certain other unusual mixtures of characters."
          (throw 'found (format "Disallowed character: `%s' (#x%x)"
                                (string char) char))))
      domain)
+    ;; Does IDNA allow it?
     (unless (puny-highly-restrictive-domain-p domain)
-      (throw 'found (format "%s is not highly-restrictive" domain)))
+      (throw 'found (format "`%s' is not highly-restrictive" domain)))
+    ;; Check whether any segment of the domain name is confusable with
+    ;; an ASCII-only segment.
+    (dolist (elem (split-string domain "\\."))
+      (when (textsec-ascii-confusable-p elem)
+        (throw 'found (format "`%s' is confusable with ASCII" elem))))
     nil))
 
 (defun textsec-local-address-suspicious-p (local)
diff --git a/test/lisp/international/textsec-tests.el b/test/lisp/international/textsec-tests.el
index b68bce1dc70..8385c116f4f 100644
--- a/test/lisp/international/textsec-tests.el
+++ b/test/lisp/international/textsec-tests.el
@@ -113,7 +113,10 @@
 (ert-deftest test-suspiction-domain ()
   (should (textsec-domain-suspicious-p "foo/bar.org"))
   (should-not (textsec-domain-suspicious-p "foo.org"))
-  (should (textsec-domain-suspicious-p "f\N{LEFT-TO-RIGHT ISOLATE}oo.org")))
+  (should (textsec-domain-suspicious-p "f\N{LEFT-TO-RIGHT ISOLATE}oo.org"))
+
+  (should (textsec-domain-suspicious-p "Сгсе.ru"))
+  (should-not (textsec-domain-suspicious-p "фСгсе.ru")))
 
 (ert-deftest test-suspicious-local ()
   (should-not (textsec-local-address-suspicious-p "larsi"))
-- 
2.39.2