From: Eli Zaretskii <eliz@gnu.org>
To: help-gnu-emacs@gnu.org
Subject: Re: Trojan Source detection/highlight in Emacs?
Date: Tue, 02 Nov 2021 16:01:45 +0200 [thread overview]
Message-ID: <834k8ulkqe.fsf@gnu.org> (raw)
In-Reply-To: <CANc-5Uy_au4VV2AGWO1pYHZHVTfHFqCmig06GdN5CfHfrBu1tA@mail.gmail.com> (message from Skip Montanaro on Mon, 1 Nov 2021 17:19:16 -0500)
> From: Skip Montanaro <skip.montanaro@gmail.com>
> Date: Mon, 1 Nov 2021 17:19:16 -0500
>
> The recent Trojan Source vulnerability crossed my newsfeed a day or two
> ago.
For some value of "recent".
> IDEs, editors, and lint tools are probably where the bulk of the action
> will be. Has this been discussed within the Emacs developer community?
We had a long discussion of a very similar issue, in the context of
URLs and phishing. It started here:
https://lists.gnu.org/archive/html/emacs-devel/2014-11/msg02203.html
and continued into the next month:
https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg00004.html
As result of these discussions, I implemented a special function,
bidi-find-overridden-directionality, which is part of Emacs since
version 25.1, released 5 years ago. (Don't rush to invoke that
function with the code samples mentioned above: it won't catch them.)
My expectation, and the reason why I bothered to write that function,
was that given the interest and the long discussion, the function will
immediately be used in some URL-related code in Emacs. That didn't
happen, and the function is collecting dust in Emacs ever since.
Now, the code there is not ready for the kind of tricks these new
examples are playing, so it doesn't detect them. It can be enhanced
to do that, though. But I'm reluctant to invest my time and energy in
a feature that will just keep collecting dust. So I will only work on
this if someone is actually prepared to use this function in Emacs by
adding some user-facing UI features, like making the problematic text
stand out on display, or displaying a warning.
I should also mention that Emacs has (weak) defenses against this kind
of tricks: we show the formatting control characters on display,
unlike other editors that hide them. Also, cursor motion with C-f and
C-b will seem to behave erratically if you move across the problematic
text. So users that actually look at the code they use will most
probably find out that something strange is going on (if they don't
look, no visual cue will do).
next prev parent reply other threads:[~2021-11-02 14:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-01 22:19 Trojan Source detection/highlight in Emacs? Skip Montanaro
2021-11-01 23:25 ` Stefan Monnier via Users list for the GNU Emacs text editor
2021-11-02 14:09 ` Eli Zaretskii
2021-11-02 14:56 ` Stefan Monnier via Users list for the GNU Emacs text editor
2021-11-02 15:19 ` Eli Zaretskii
2021-11-02 14:14 ` Stefan Monnier via Users list for the GNU Emacs text editor
2021-11-02 14:01 ` Eli Zaretskii [this message]
2021-11-02 15:01 ` Skip Montanaro
2021-11-02 15:13 ` Eli Zaretskii
2021-11-02 15:12 ` Stefan Monnier via Users list for the GNU Emacs text editor
-- strict thread matches above, loose matches on Subject: below --
2021-11-03 8:52 Anders Munch
2021-11-03 13:03 ` Eli Zaretskii
2021-11-03 15:17 Anders Munch
2021-11-03 17:28 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=834k8ulkqe.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=help-gnu-emacs@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).