You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From reading the above, it seems that Ledger ONLY deals with ASCII but I've seen them display emoji so seems that they are capable of using Unicode for future purposes like Unicode passphrases or keys, in which I could use runes (Unicode code point with a very high range) that are invalid but when turned into bytes (very narrow range) overflow and pass the error checks
Suggestions
Use string operations
funcvalidHRPRune(rrune) bool {
// https://github.com/bitcoin/bips/blob/master/bip-0173.mediawikireturnr>=33&&r<=126
}
func (ledger*LedgerCosmos) getAddressPubKeySECP256K1(bip32Path []uint32, hrpstring... {
...if strings.ContainsFunc(hrp, func(rrune) bool { return!validHRPRune(r) }) {
returnnil, "", errors.New("all runes in the HRP must be in the [33, 126] range")
}
...message:=append(header, byte(len(hrp)))
message=append(message, hrp...)
Use bytes.ContainsFunc
ifbytes.ContainsFunc(hrpBytes, invalidHRPByte) {
returnnil, "", errors.New("all runes in the HRP must be in the [33, 126] range")
}
The restriction is due to bech32 definition in BIP173 and it is not purely a representation restriction. For this reason, code should be restricted to byte instead of runes.
This code takes a string and then converts it to a byteslice then manually runs some operations on it
ledger-cosmos-go/user_app.go
Lines 298 to 303 in e9d4c19
and then
ledger-cosmos-go/user_app.go
Lines 317 to 318 in e9d4c19
From reading the above, it seems that Ledger ONLY deals with ASCII but I've seen them display emoji so seems that they are capable of using Unicode for future purposes like Unicode passphrases or keys, in which I could use runes (Unicode code point with a very high range) that are invalid but when turned into bytes (very narrow range) overflow and pass the error checks
Suggestions
Use string operations
Use bytes.ContainsFunc
/cc @elias-orijtech @julienrbrt
The text was updated successfully, but these errors were encountered: