Merge pull request #562 from slingamn/impersonation

fix an edge case in skeletonization

irc/strings.go

@@ -163,15 +163,15 @@ func isIdent(name string) bool {
 // from the original (unfolded) identifier and stored/tracked separately from the
 // casefolded identifier.
 func Skeleton(name string) (string, error) {
-	if !isBoring(name) {
-		name = confusables.Skeleton(name)
-	}
-
 	// XXX the confusables table includes some, but not all, fullwidth->standard
 	// mappings for latin characters. do a pass of explicit width folding,
 	// same as PRECIS:
 	name = width.Fold.String(name)
 
+	if !isBoring(name) {
+		name = confusables.Skeleton(name)
+	}
+
 	// internationalized lowercasing for skeletons; this is much more lenient than
 	// Casefold. In particular, skeletons are expected to mix scripts (which may
 	// violate the bidi rule). We also don't care if they contain runes

irc/strings_test.go

@@ -181,6 +181,10 @@ func TestSkeleton(t *testing.T) {
 		t.Errorf("after skeletonizing, we should casefold")
 	}
 
+	if skeleton("smｔ") != "smt" {
+		t.Errorf("our friend lover successfully tricked the skeleton algorithm!")
+	}
+
 	if skeleton("еvan") != "evan" {
 		t.Errorf("we must protect against cyrillic homoglyph attacks")
 	}