Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NFC is not enforced / checked #82

Open
bwbroersma opened this issue Nov 29, 2024 · 2 comments
Open

NFC is not enforced / checked #82

bwbroersma opened this issue Nov 29, 2024 · 2 comments

Comments

@bwbroersma
Copy link
Contributor

bwbroersma commented Nov 29, 2024
edited
Loading

Example sectxt:

# Hallå!
Contact: https://example.org
Expires: 2024-12-31T23:59:59Z
Canonical: https://example.org/.well-known/security.txt

Make sure it is in NFD (which is wrong):

$ cat sectxt-plain | uconv -x any-nfd > sectxt-plain-nfd

This is not detected

Python 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from sectxt import Parser
>>> p = Parser(open("sectxt-plain-nfd","rb").read(65000))
>>> p.is_valid()
True
>>> p.errors
[]
>>> p.recommendations
[{'code': 'not_signed', 'message': 'security.txt should be digitally signed.', 'line': None}]
>>> p.notifications
[]

Note in case of PGP signing the result actually is:

[{'code': 'pgp_data_error', 'message': 'Signed message did not contain a correct ASCII-armored PGP block.', 'line': 1}]
@DigitalTrustCenter
Copy link
Owner

Thanks for reporting the issue.
It is not clear to us why NFC should be enforced. In the RFC they only mention that the encoding should be UTF-8 and both in NFD and NFC they are valid UTF-8 encodings.
Could you clarify why NFC should be enforced?

@bwbroersma
Copy link
Contributor Author

bwbroersma commented Dec 12, 2024
edited
Loading

RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure - § 4. File Format Description and ABNF Grammar:

The file format of the "security.txt" file MUST be plain text (MIME type "text/plain") as defined in Section 4.1.3 of [RFC2046] and MUST be encoded using UTF-8 [RFC3629] in Net-Unicode form [RFC5198].

RFC5198 - Unicode Format for Network Interchange - § 2 Net-Unicode Definition:

  1. Before transmission, all character sequences SHOULD be normalized
    according to Unicode normalization form "NFC" (see Section 3).
  2. As suggested in Section 6 of RFC 3629, the Byte Order Mark
    ("BOM") signature MUST NOT appear at the beginning of these text
    strings.
  3. Systems conforming to this specification MUST NOT transmit any
    string containing any code point that is unassigned in the
    version of Unicode on which they are dependent. The version of
    NFC and the version of Unicode used by that system MUST be
    consistent.

Which is also noted by:

sectxt/sectxt/__init__.py

Line 385 in 0f06db1

"Security.txt must be encoded using UTF-8 in Net-Unicode form, "

Not sure if 4 / 6 should be read as SHOULD or MUST regarding NFC.
PGP signing is erroring on non NFC, but I'm unsure if this is correct (cannot find a Unicode normalization requirement in PGP).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bwbroersma @DigitalTrustCenter