unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Unicode confusables and reordering characters considered harmful
@ 2021-11-02 12:57 Vasilij Schneidermann
  2021-11-02 13:18 ` Po Lu
                   ` (6 more replies)
  0 siblings, 7 replies; 172+ messages in thread
From: Vasilij Schneidermann @ 2021-11-02 12:57 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]

There's a paper going around that demonstrates how two Unicode features
can be used to trick source code auditors into misinterpreting program
logic. The authors have suggested that language specifications should be
amended, implementations should warn or raise errors and editor tooling
should display visual warnings. Both issues are tracked as
CVE-2021-42574 and CVE-2021-42694.

The first issue is about bidirectional reordering characters. If bidi
text rendering is not needed, it's easy enough to work around with
`(setq-default bidi-display-reordering nil)`. Some people already make
use of this to speed up redisplay. Maybe there's a better solution, such
as automatically detecting whether the user is working with a RTL script
and only then enable bidi text rendering.

The second issue is about mixed-script confusable characters. Emacs does
not appear to have a workaround for that. I've come across the
uni-confusables package in GNU ELPA, but it merely sets up character
tables. The only mention of confusables I can find in the Emacs sources
is for `help-uni-confusables` which contains a much smaller list for
quotation marks, used in help buffers and elisp buffers. A
possible solution would be to implement the Unicode confusables
algorithm and expose it in the uni-confusables package.

Vasilij

https://trojansource.codes/
https://www.trojansource.codes/trojan-source.pdf
https://github.com/nickboucher/trojan-source
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/
https://unicode.org/reports/tr39/#Confusable_Detection

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 172+ messages in thread

end of thread, other threads:[~2021-11-10 17:15 UTC | newest]

Thread overview: 172+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-02 12:57 Unicode confusables and reordering characters considered harmful Vasilij Schneidermann
2021-11-02 13:18 ` Po Lu
2021-11-02 13:54   ` Uwe Brauer
2021-11-02 14:53     ` Eli Zaretskii
2021-11-02 15:16       ` Eli Zaretskii
2021-11-02 15:21         ` Uwe Brauer
2021-11-02 16:24       ` Clément Pit-Claudel
2021-11-02 16:47         ` Eli Zaretskii
2021-11-02 17:01           ` Stefan Kangas
2021-11-02 17:10             ` Eli Zaretskii
2021-11-02 18:43               ` Stefan Kangas
2021-11-02 18:49                 ` Eli Zaretskii
2021-11-02 19:12                   ` Stefan Monnier
2021-11-02 19:36                     ` Eli Zaretskii
2021-11-02 19:47                       ` Stefan Monnier
2021-11-02 19:51                         ` Eli Zaretskii
2021-11-02 21:28                           ` Unicode confusables and reordering characters considered harmful, a simple solution Daniel Brooks
2021-11-03 13:30                             ` Eli Zaretskii
2021-11-03 17:41                             ` Yuri Khan
2021-11-03 17:56                               ` Eli Zaretskii
2021-11-03 18:20                                 ` Juri Linkov
2021-11-03 19:02                                   ` Gregory Heytings
2021-11-03 19:46                                     ` Eli Zaretskii
2021-11-03 19:58                                       ` Yuri Khan
2021-11-03 20:21                                       ` Gregory Heytings
2021-11-03 20:31                                         ` Eli Zaretskii
2021-11-03 21:16                                           ` Gregory Heytings
2021-11-04  7:16                                             ` Eli Zaretskii
2021-11-04  9:06                                               ` Gregory Heytings
2021-11-04  9:19                                                 ` Eli Zaretskii
2021-11-04  9:48                                                   ` Eli Zaretskii
2021-11-04  8:44                                     ` Juri Linkov
2021-11-03 18:45                                 ` Yuri Khan
2021-11-03 19:09                                   ` Eli Zaretskii
2021-11-03 19:35                                     ` Yuri Khan
2021-11-03 20:01                                       ` Eli Zaretskii
2021-11-03 20:45                                         ` Gregory Heytings
2021-11-03 20:53                                           ` Eli Zaretskii
2021-11-03 21:23                                             ` Gregory Heytings
2021-11-04  6:58                                               ` Eli Zaretskii
2021-11-04  8:53                                                 ` Gregory Heytings
2021-11-04  9:15                                                   ` Eli Zaretskii
2021-11-03 19:54                                     ` Daniel Brooks
2021-11-03 20:08                                       ` Eli Zaretskii
2021-11-04  6:00                                         ` Daniel Brooks
2021-11-04  7:44                                           ` Eli Zaretskii
2021-11-04  9:14                                             ` Gregory Heytings
2021-11-04  9:45                                               ` Eli Zaretskii
2021-11-04 10:41                                                 ` Gregory Heytings
2021-11-04 11:03                                                   ` Po Lu
2021-11-04 11:27                                                     ` Gregory Heytings
2021-11-04 11:20                                                   ` Eli Zaretskii
2021-11-04 11:34                                                     ` Gregory Heytings
2021-11-04 13:25                                                       ` Eli Zaretskii
2021-11-04 14:10                                                         ` Gregory Heytings
2021-11-04 16:50                                                           ` Eli Zaretskii
2021-11-04 17:04                                                             ` Gregory Heytings
2021-11-04 19:16                                                           ` Stefan Monnier
2021-11-05 23:31                                                             ` Gregory Heytings
2021-11-06  7:25                                                               ` Eli Zaretskii
2021-11-04 19:22                                                           ` Stefan Monnier
2021-11-04 19:55                                                             ` Eli Zaretskii
2021-11-05 23:32                                                             ` Gregory Heytings
2021-11-04 19:08                                                     ` Eli Zaretskii
2021-11-04 20:00                                                       ` Eli Zaretskii
2021-11-05  2:23                                             ` Daniel Brooks
2021-11-05  3:52                                               ` Stefan Kangas
2021-11-05  5:21                                                 ` code annotations Daniel Brooks
2021-11-05  5:53                                                   ` Stefan Kangas
2021-11-05  5:23                                                 ` Unicode confusables and reordering characters considered harmful, a simple solution Daniel Brooks
2021-11-05  6:13                                                 ` Po Lu
2021-11-05  7:37                                                 ` Eli Zaretskii
2021-11-05  8:00                                                   ` Stefan Kangas
2021-11-05  8:07                                                     ` Eli Zaretskii
2021-11-05  9:58                                                       ` Stefan Kangas
2021-11-05 12:12                                                         ` Eli Zaretskii
2021-11-05 13:08                                                           ` Stefan Kangas
2021-11-05 14:19                                                             ` Eli Zaretskii
2021-11-05 23:33                                                               ` Gregory Heytings
2021-11-06  0:54                                                                 ` Daniel Brooks
2021-11-06 10:56                                                                   ` Eli Zaretskii
2021-11-06 10:48                                                                 ` Eli Zaretskii
2021-11-08 19:58                                                                   ` Gregory Heytings
2021-11-08 20:27                                                                     ` Eli Zaretskii
2021-11-08 21:59                                                                       ` Stefan Monnier
2021-11-09  3:28                                                                         ` Eli Zaretskii
2021-11-06 13:58                                                               ` Benjamin Riefenstahl
2021-11-06 15:34                                                                 ` Eli Zaretskii
2021-11-06 17:09                                                                   ` Benjamin Riefenstahl
2021-11-06 17:35                                                                     ` Eli Zaretskii
2021-11-05  8:09                                               ` tomas
2021-11-06  1:09                                                 ` Daniel Brooks
2021-11-05  8:31                                               ` Eli Zaretskii
2021-11-05  9:34                                                 ` Juri Linkov
2021-11-04 19:05                                           ` Stefan Monnier
2021-11-03 21:13                                 ` Daniel Brooks
2021-11-04  6:52                                   ` Eli Zaretskii
2021-11-02 20:18                       ` Unicode confusables and reordering characters considered harmful Tim Cross
2021-11-03  0:28                     ` Gregory Heytings
2021-11-03  1:07                       ` Stefan Monnier
2021-11-03  1:59                         ` Daniel Brooks
2021-11-03 13:35                           ` Eli Zaretskii
2021-11-03  9:59                         ` Gregory Heytings
2021-11-03 11:19                           ` Stefan Kangas
2021-11-03 11:31                             ` Gregory Heytings
2021-11-03 12:20                               ` Stefan Monnier
2021-11-03 12:41                                 ` tomas
2021-11-03 13:15                                   ` Eli Zaretskii
2021-11-03 14:46                                     ` tomas
2021-11-03 17:13                                       ` Eli Zaretskii
2021-11-03 17:34                                         ` tomas
2021-11-03 13:46                                 ` Eli Zaretskii
2021-11-03 13:45                               ` Eli Zaretskii
2021-11-03 13:44                             ` Eli Zaretskii
2021-11-03 14:29                               ` Gregory Heytings
2021-11-03 14:37                                 ` Eli Zaretskii
2021-11-03 16:01                                   ` Gregory Heytings
2021-11-03 17:44                                     ` Eli Zaretskii
2021-11-03 17:53                                       ` Gregory Heytings
2021-11-03 11:29                           ` Andreas Schwab
2021-11-03 18:47                             ` Stefan Monnier
2021-11-03 18:52                               ` Yuri Khan
2021-11-03 19:19                                 ` Stefan Monnier
2021-11-03 19:28                               ` Gregory Heytings
2021-11-03 19:32                                 ` Stefan Monnier
2021-11-03 19:41                                   ` Yuri Khan
2021-11-03 20:12                                   ` Gregory Heytings
2021-11-03 22:03                                     ` Gregory Heytings
2021-11-04  8:50                                       ` Gregory Heytings
2021-11-03 19:51                                 ` Eli Zaretskii
2021-11-03 19:30                               ` Eli Zaretskii
2021-11-03 19:34                                 ` Andreas Schwab
2021-11-03 19:54                                   ` Eli Zaretskii
2021-11-03 13:37                           ` Eli Zaretskii
2021-11-03 18:53                             ` Manuel Giraud
2021-11-03 19:36                               ` Eli Zaretskii
2021-11-03 21:15                                 ` Manuel Giraud
2021-11-04  6:56                                   ` Eli Zaretskii
2021-11-04 19:04                                     ` Eli Zaretskii
2021-11-03 13:33                         ` Eli Zaretskii
2021-11-03 13:31                       ` Eli Zaretskii
2021-11-02 19:26                   ` Stefan Kangas
2021-11-02 19:44                     ` Eli Zaretskii
2021-11-02 19:49                     ` Stefan Monnier
2021-11-02 18:16           ` Clément Pit-Claudel
2021-11-02 18:37             ` Eli Zaretskii
2021-11-02 19:17         ` Yuri Khan
2021-11-02 19:37           ` Eli Zaretskii
2021-11-02 17:24       ` [authors: default bidi-display-reordering is set to t] (was: Unicode confusables and reordering characters considered harmful) Uwe Brauer
2021-11-02 17:37         ` Eli Zaretskii
2021-11-02 14:31   ` Unicode confusables and reordering characters considered harmful Eli Zaretskii
2021-11-02 15:13     ` Uwe Brauer
2021-11-02 13:42 ` tomas
2021-11-02 14:57   ` Stefan Kangas
2021-11-02 14:30 ` Eli Zaretskii
2021-11-02 14:43 ` Clément Pit-Claudel
2021-11-03 15:07   ` Reini Urban
2021-11-03 15:43     ` Stefan Monnier
2021-11-04  7:50       ` Reini Urban
2021-11-04  8:21         ` Eli Zaretskii
2021-11-03 17:24     ` Eli Zaretskii
2021-11-02 14:57 ` Stefan Kangas
2021-11-05 18:53 ` Unicode confusables " Vasilij Schneidermann
2021-11-05 20:03   ` Eli Zaretskii
2021-11-06 11:56     ` Vasilij Schneidermann
2021-11-06 12:20       ` Eli Zaretskii
2021-11-06 13:10         ` Vasilij Schneidermann
2021-11-06 13:29           ` Eli Zaretskii
2021-11-05 21:36   ` Stefan Monnier
2021-11-10 15:47 ` Unicode confusables and reordering characters " Dmitry Gutov
2021-11-10 17:03   ` Eli Zaretskii
2021-11-10 17:15     ` Dmitry Gutov

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).