From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gregory Heytings Newsgroups: gmane.emacs.devel Subject: Re: Unicode confusables and reordering characters considered harmful Date: Wed, 03 Nov 2021 09:59:46 +0000 Message-ID: <11d5fecb449846dc0851@heytings.org> References: <875ytag0hb.fsf@yahoo.com> <87zgqmd5np.fsf@mat.ucm.es> <83wnlqk3rn.fsf@gnu.org> <72dd5c2a-42c7-b12e-05ed-e93adbd89727@gmail.com> <83ilxajyhw.fsf@gnu.org> <83fssejxf8.fsf@gnu.org> <835ytajsv2.fsf@gnu.org> <11d5fecb44af1d388b7f@heytings.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="iLztzuOHbV" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="12892"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Eli Zaretskii , Stefan Kangas , cpitclaudel@gmail.com, emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 03 11:01:40 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1miD5P-00035P-JT for ged-emacs-devel@m.gmane-mx.org; Wed, 03 Nov 2021 11:01:39 +0100 Original-Received: from localhost ([::1]:34876 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1miD5N-0007Zw-8Q for ged-emacs-devel@m.gmane-mx.org; Wed, 03 Nov 2021 06:01:37 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:34590) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1miD3f-0006no-Le for emacs-devel@gnu.org; Wed, 03 Nov 2021 05:59:51 -0400 Original-Received: from heytings.org ([95.142.160.155]:50790) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1miD3d-0004zy-9t; Wed, 03 Nov 2021 05:59:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heytings.org; s=20210101; t=1635933587; bh=QqLopufLDj51BsCUPJqr2OsNChGLlOa7Ouy/cMJZRhg=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:From; b=jsgSlkX1nmnuh9YNDiRcPlyxTilgRLx4q1p/64e2VTi5SgP+153LOYssK1kIb41Wb uKToiLpJdvBzLUIQDC9BmwHW1TC75e3qo4OlNNCb2cAi8SLKBYsme8dTWOHWBSU3Tx lhGEC1vb2av6Ea15hmW4SbLAca7B03rFYjY4joZdRwe1Q8ZZCmMOiUJBcJtUmh6EG+ tDHU7JS0mvsfV2oE6jYweSYxpHELQHq/Pl1xdBuQfRdKFCuur2n9r5VPatbCVQ/51A xHV2FPtTumfcB0ftqHsyx1x+OxhaqBrFgreCcT9KZhglbvZ5wng3XE7UbqC9Ok2z8b ktBSCqNtyR/aw== In-Reply-To: Received-SPF: pass client-ip=95.142.160.155; envelope-from=gregory@heytings.org; helo=heytings.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:278563 Archived-At: --iLztzuOHbV Content-Type: text/plain; format=flowed; charset=us-ascii >> Given that the vulnerability is limited to source code, in which AFAIU >> there's no legitimate use of such characters, would the following not >> be enough? > > I'm pretty sure there are legitimate uses of such characters in source > code. Maybe there are significant parts of the world where this is > extremely rare, but we shouldn't generalize too quickly. > There's some data that shows that this is extremely rare in general: the Rust Security Response WG analyzed the 70322 crates and found only 5 in which these codepoints were present (see [1]). That's ~0.01 %. Moreover such highlighting does not make the source code or text unreadable, even in those few legitimate cases. Therefore I suggest to experiment with the attached patch during a month or so, and see if there are objections. I used the {left,right,up,down}wards arrows, which are visible in both GUI and TUI interfaces. [1] https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html --iLztzuOHbV Content-Type: text/x-diff; name=Make-bidi-reordering-characters-visible.patch Content-Transfer-Encoding: base64 Content-ID: <11d5fecb44b7483e7131@heytings.org> Content-Description: Content-Disposition: attachment; filename=Make-bidi-reordering-characters-visible.patch RnJvbSA3NGI3MzE4ZmMyMjNlNWE2NGQyMDY2MDUyMmMwMWMwM2NmOWE3MDIy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogR3JlZ29yeSBIZXl0 aW5ncyA8Z3JlZ29yeUBoZXl0aW5ncy5vcmc+DQpEYXRlOiBXZWQsIDMgTm92 IDIwMjEgMDk6NTM6NDcgKzAwMDANClN1YmplY3Q6IFtQQVRDSF0gTWFrZSBi aWRpIHJlb3JkZXJpbmcgY2hhcmFjdGVycyB2aXNpYmxlDQoNCiogbGlzcC9w cm9nbW9kZXMvcHJvZy1tb2RlLmVsIChmb250aWZ5LWJpZGktcmVvcmRlcmlu Zy1jaGFyYWN0ZXJzLA0KbWFrZS1iaWRpLXJlb3JkZXJpbmctY2hhcmFjdGVy cy12aXNpYmxlKTogTmV3IGZ1bmN0aW9ucy4NCihwcm9nLW1vZGUpOiBVc2Ug dGhlIG5ldyBmdW5jdGlvbnMuDQotLS0NCiBsaXNwL3Byb2dtb2Rlcy9wcm9n LW1vZGUuZWwgfCAyMSArKysrKysrKysrKysrKysrKysrKy0NCiAxIGZpbGUg Y2hhbmdlZCwgMjAgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQ0KDQpk aWZmIC0tZ2l0IGEvbGlzcC9wcm9nbW9kZXMvcHJvZy1tb2RlLmVsIGIvbGlz cC9wcm9nbW9kZXMvcHJvZy1tb2RlLmVsDQppbmRleCBkYjM1MGE1ZjcwLi4w MDA1ZDNkNGQ3IDEwMDY0NA0KLS0tIGEvbGlzcC9wcm9nbW9kZXMvcHJvZy1t b2RlLmVsDQorKysgYi9saXNwL3Byb2dtb2Rlcy9wcm9nLW1vZGUuZWwNCkBA IC0yODksNiArMjg5LDI0IEBAIHR1cm4tb24tcHJldHRpZnktc3ltYm9scy1t b2RlDQogICAgICAgICAgICAgIChsb2NhbC12YXJpYWJsZS1wICdwcmV0dGlm eS1zeW1ib2xzLWFsaXN0KSkNCiAgICAgKHByZXR0aWZ5LXN5bWJvbHMtbW9k ZSAxKSkpDQogDQorKGRlZnVuIGZvbnRpZnktYmlkaS1yZW9yZGVyaW5nLWNo YXJhY3RlcnMgKCkNCisgIChmb250LWxvY2stYWRkLWtleXdvcmRzIG5pbCAn KCgi4oGpXFx84oCsXFx84oGoXFx84oGnXFx84oGmXFx84oCrXFx84oCqXFx8 4oCuXFx84oCtIiAuICdmb250LWxvY2std2FybmluZy1mYWNlKSkpKQ0KKw0K KyhkZWZ1biBtYWtlLWJpZGktcmVvcmRlcmluZy1jaGFyYWN0ZXJzLXZpc2li bGUgKCkNCisgIChzZXRxIGJ1ZmZlci1kaXNwbGF5LXRhYmxlIChvciBidWZm ZXItZGlzcGxheS10YWJsZQ0KKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHN0YW5kYXJkLWRpc3BsYXktdGFibGUNCisgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAobWFrZS1kaXNwbGF5LXRhYmxlKSkpDQor ICAoYXNldCBidWZmZXItZGlzcGxheS10YWJsZSA/4oCqIFs/4oaSXSkNCisg IChhc2V0IGJ1ZmZlci1kaXNwbGF5LXRhYmxlID/igKsgWz/ihpBdKQ0KKyAg KGFzZXQgYnVmZmVyLWRpc3BsYXktdGFibGUgP+KArSBbP+KGkl0pDQorICAo YXNldCBidWZmZXItZGlzcGxheS10YWJsZSA/4oCuIFs/4oaQXSkNCisgIChh c2V0IGJ1ZmZlci1kaXNwbGF5LXRhYmxlID/igaYgWz/ihpJdKQ0KKyAgKGFz ZXQgYnVmZmVyLWRpc3BsYXktdGFibGUgP+KBpyBbP+KGkF0pDQorICAoYXNl dCBidWZmZXItZGlzcGxheS10YWJsZSA/4oGoIFs/4oaTXSkNCisgIChhc2V0 IGJ1ZmZlci1kaXNwbGF5LXRhYmxlID/igKwgWz/ihpFdKQ0KKyAgKGFzZXQg YnVmZmVyLWRpc3BsYXktdGFibGUgP+KBqSBbP+KGkV0pDQorICAoYWRkLWhv b2sgJ2ZvbnQtbG9jay1tb2RlLWhvb2sgIydmb250aWZ5LWJpZGktcmVvcmRl cmluZy1jaGFyYWN0ZXJzKSkNCisNCiA7OzsjIyNhdXRvbG9hZA0KIChkZWZp bmUtZ2xvYmFsaXplZC1taW5vci1tb2RlIGdsb2JhbC1wcmV0dGlmeS1zeW1i b2xzLW1vZGUNCiAgIHByZXR0aWZ5LXN5bWJvbHMtbW9kZSB0dXJuLW9uLXBy ZXR0aWZ5LXN5bWJvbHMtbW9kZSkNCkBAIC0zMDAsNyArMzE4LDggQEAgcHJv Zy1tb2RlDQogICAoc2V0cS1sb2NhbCBwYXJzZS1zZXhwLWlnbm9yZS1jb21t ZW50cyB0KQ0KICAgKGFkZC1ob29rICdjb250ZXh0LW1lbnUtZnVuY3Rpb25z ICdwcm9nLWNvbnRleHQtbWVudSAxMCB0KQ0KICAgOzsgQW55IHByb2dyYW1t aW5nIGxhbmd1YWdlIGlzIGFsd2F5cyB3cml0dGVuIGxlZnQgdG8gcmlnaHQu DQotICAoc2V0cSBiaWRpLXBhcmFncmFwaC1kaXJlY3Rpb24gJ2xlZnQtdG8t cmlnaHQpKQ0KKyAgKHNldHEgYmlkaS1wYXJhZ3JhcGgtZGlyZWN0aW9uICds ZWZ0LXRvLXJpZ2h0KQ0KKyAgKG1ha2UtYmlkaS1yZW9yZGVyaW5nLWNoYXJh Y3RlcnMtdmlzaWJsZSkpDQogDQogKHByb3ZpZGUgJ3Byb2ctbW9kZSkNCiAN Ci0tIA0KMi4zMy4wDQoNCg== --iLztzuOHbV--