From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Re: Unicode confusables and reordering characters considered harmful Date: Tue, 2 Nov 2021 07:57:39 -0700 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3485"; mail-complaints-to="usenet@ciao.gmane.io" To: Vasilij Schneidermann , emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Nov 02 16:22:38 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhvcT-0000gB-Pk for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 16:22:37 +0100 Original-Received: from localhost ([::1]:35596 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhvcS-00063o-MS for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 11:22:36 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhvEN-00012C-4h for emacs-devel@gnu.org; Tue, 02 Nov 2021 10:57:46 -0400 Original-Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:39487) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mhvEL-0003Kh-Ih for emacs-devel@gnu.org; Tue, 02 Nov 2021 10:57:42 -0400 Original-Received: by mail-pg1-x52e.google.com with SMTP id g184so20372750pgc.6 for ; Tue, 02 Nov 2021 07:57:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=yGV7X9Av6lCDYmOd2sBhqCKmV1YzKxGRjMnpQqqZu4I=; b=fstdW+SIT3BpVvFlD7SY5XT8kmppRsYyn5dPOL5ri42OqLqdsQFfq299sUZNgDr2i8 VipVnwHMgRcBuRgcHwUK057Nl3qqjGrTkIFrNWCIovXJpbR9ld1ffnDI2c+gBgKMIMag 7CYKifZuSlADuqI2tLEA2j7hcN79g5FUM+1EP+Ve4aHsGPb/t6NvVJd/bW0lxJah7M5r HTJoUVj7ZnlVeXGvOI3h5LWrImMaG70qRimiKkFlcaxM7WtN2vr6vQyN6Wa8tYKL1X8a VvEqBxGLHE9VO4o4bg27rHT94qFW56U+el0TrZPYLt8Dpi9AAF7dVcZBjZNNGQ3vE+4I rlPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=yGV7X9Av6lCDYmOd2sBhqCKmV1YzKxGRjMnpQqqZu4I=; b=3IelPDc/Gb+N1eFE/t+saKg3xbZ4bStP+xz9vq6xPbjPyuAi2a2elvnrkj7I7d3sOS D7Kt+lyIK8EPGIqo731Huk3k6rR8cum80nu4ymRSYRbBDpS+Gl0N6jxpeCLVRjKljQbt N8k6A524qi1UlOrgARYitkdx09/yCoxjddMnphwTkl9KTT0NrC/gibocGolNf3FG7RVv jFA7wj0dP/G35V5WYx7izay/poK8LL50sW02PUVTFI4IUresMn8gHlfW/liq6mnSpr1/ KgVywgTK/noitrQmJlQ3eeS5HccKpbxUf68ex/mZUPbUGkGjcAkWDwyL+jrc6fpGqORl wjrA== X-Gm-Message-State: AOAM533wTkWwV/kpMkH7wTL0sq0+MxVoj8JklmSB4CQyKVJGO6Ye4V4h bre4bpxg6GvCOOEysXWE3caHLcZjOjiFdFwXPaRtkJ5N X-Google-Smtp-Source: ABdhPJwOrQuqbAdq+vKZMn+uMiFgBZx/VA8TyCX457TTUKPbUeneWdIc1HPwvVRgdYD3cvQMHfxkhU/RiW79GCAJWWI= X-Received: by 2002:a05:6a00:1955:b0:47c:1d32:84de with SMTP id s21-20020a056a00195500b0047c1d3284demr36754451pfk.70.1635865059928; Tue, 02 Nov 2021 07:57:39 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Tue, 2 Nov 2021 07:57:39 -0700 In-Reply-To: Received-SPF: pass client-ip=2607:f8b0:4864:20::52e; envelope-from=stefankangas@gmail.com; helo=mail-pg1-x52e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:278495 Archived-At: Vasilij Schneidermann writes: > There's a paper going around that demonstrates how two Unicode features > can be used to trick source code auditors into misinterpreting program > logic. The authors have suggested that language specifications should be > amended, implementations should warn or raise errors and editor tooling > should display visual warnings. Both issues are tracked as > CVE-2021-42574 and CVE-2021-42694. This is the list of solutions proposed on https://trojansource.codes/ (1) Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters. (2) Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals. (3) Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings.