From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.help Subject: Re: Trojan Source detection/highlight in Emacs? Date: Tue, 02 Nov 2021 16:01:45 +0200 Message-ID: <834k8ulkqe.fsf@gnu.org> References: Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="13870"; mail-complaints-to="usenet@ciao.gmane.io" To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Tue Nov 02 15:39:11 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhuwQ-0003OX-JR for geh-help-gnu-emacs@m.gmane-mx.org; Tue, 02 Nov 2021 15:39:10 +0100 Original-Received: from localhost ([::1]:55250 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhuwP-0006aU-Ez for geh-help-gnu-emacs@m.gmane-mx.org; Tue, 02 Nov 2021 10:39:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38806) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhuML-0003gL-Fi for help-gnu-emacs@gnu.org; Tue, 02 Nov 2021 10:01:54 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:40036) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhuMJ-0002J5-It for help-gnu-emacs@gnu.org; Tue, 02 Nov 2021 10:01:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=ySBcCkT7GonS9F0TJG8yMJiS72BDBsGZs7cnkHAcFhw=; b=cnRH1KWUC/8R jWVGlJHwDHAiWXGx3fPjXuz6VFRDvAxka/aD2vWzwob9x9Ai2giQfS7oF0qPK+i0+WWPcoDf0SY3/ /zGITZeHANdNc0uEPRtqHkolkmFCUq5z+BJcCgwJS5cqxNQTNksvuwo9qDP3h87JgAucsE0xHu+0j uMWU4q/ph87/xBdyd97Rg/R72NfcHkWIYYTu9kHSYvg8c/fx1dH1r1HDsfG/ofroaoGNlkRjYO43Q Mb2/aAl0Kr1lJ+50BpZYV7dotz8spTrJWcBTaoSQ4MEE5ZpDBIss7jKej81955x1RsJnb02quuwaY 7Ub6+oO8IOpthBtEMJPLxA==; Original-Received: from [87.69.77.57] (port=1645 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhuMI-0005nR-9y for help-gnu-emacs@gnu.org; Tue, 02 Nov 2021 10:01:51 -0400 In-Reply-To: (message from Skip Montanaro on Mon, 1 Nov 2021 17:19:16 -0500) X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:134309 Archived-At: > From: Skip Montanaro > Date: Mon, 1 Nov 2021 17:19:16 -0500 > > The recent Trojan Source vulnerability crossed my newsfeed a day or two > ago. For some value of "recent". > IDEs, editors, and lint tools are probably where the bulk of the action > will be. Has this been discussed within the Emacs developer community? We had a long discussion of a very similar issue, in the context of URLs and phishing. It started here: https://lists.gnu.org/archive/html/emacs-devel/2014-11/msg02203.html and continued into the next month: https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg00004.html As result of these discussions, I implemented a special function, bidi-find-overridden-directionality, which is part of Emacs since version 25.1, released 5 years ago. (Don't rush to invoke that function with the code samples mentioned above: it won't catch them.) My expectation, and the reason why I bothered to write that function, was that given the interest and the long discussion, the function will immediately be used in some URL-related code in Emacs. That didn't happen, and the function is collecting dust in Emacs ever since. Now, the code there is not ready for the kind of tricks these new examples are playing, so it doesn't detect them. It can be enhanced to do that, though. But I'm reluctant to invest my time and energy in a feature that will just keep collecting dust. So I will only work on this if someone is actually prepared to use this function in Emacs by adding some user-facing UI features, like making the problematic text stand out on display, or displaying a warning. I should also mention that Emacs has (weak) defenses against this kind of tricks: we show the formatting control characters on display, unlike other editors that hide them. Also, cursor motion with C-f and C-b will seem to behave erratically if you move across the problematic text. So users that actually look at the code they use will most probably find out that something strange is going on (if they don't look, no visual cue will do).