From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Unicode confusables and reordering characters considered harmful Date: Tue, 02 Nov 2021 21:07:05 -0400 Message-ID: References: <875ytag0hb.fsf@yahoo.com> <87zgqmd5np.fsf@mat.ucm.es> <83wnlqk3rn.fsf@gnu.org> <72dd5c2a-42c7-b12e-05ed-e93adbd89727@gmail.com> <83ilxajyhw.fsf@gnu.org> <83fssejxf8.fsf@gnu.org> <835ytajsv2.fsf@gnu.org> <11d5fecb44af1d388b7f@heytings.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34925"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: Eli Zaretskii , Stefan Kangas , cpitclaudel@gmail.com, emacs-devel@gnu.org To: Gregory Heytings Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 03 02:09:30 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mi4mP-0008uh-JH for ged-emacs-devel@m.gmane-mx.org; Wed, 03 Nov 2021 02:09:29 +0100 Original-Received: from localhost ([::1]:43212 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mi4mO-0008GV-NF for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 21:09:28 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43672) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi4kL-0006Mb-WD for emacs-devel@gnu.org; Tue, 02 Nov 2021 21:07:22 -0400 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:13363) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi4kI-0002lt-5a; Tue, 02 Nov 2021 21:07:19 -0400 Original-Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id E248F10038E; Tue, 2 Nov 2021 21:07:14 -0400 (EDT) Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 4C8C9100136; Tue, 2 Nov 2021 21:07:13 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1635901633; bh=79rr5CaKZLmjFG7aNaXgkfR0ei8GL7BFtLQ6TpO3kUc=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=k/oPddJX8N3mGgnEycKBAdht/Lgu4ELplygf2hY4GJOLo9m/WzN3Mu32VLpwPXB+x bK0cYOYBq9aAS62gTlebNoPb0i5SfVdzU9YRxdkitWRUpVz1jL9ude8N82ULSz4uQ7 s+4R9pUtZEqcjy5jcHX9zB0vZOvi3Fspr4LVkoaULCkPHTpG40hXEHW/0MF3/gUvXj MI1VlY0AmAS+iNXY842Qb9gDq6SHgKKXqKg60YFu4BjyO4hRS2CtCDoVBaKxPajx7b onU3iBQAESXKJoi2droI+bMQVwy34U0MMZKu1P9ppZzwSifWOYXFh0tv9z5Jfy3jZG nmZB/q7N6FO5g== Original-Received: from ceviche (unknown [45.72.241.23]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id E812012030A; Tue, 2 Nov 2021 21:07:12 -0400 (EDT) In-Reply-To: <11d5fecb44af1d388b7f@heytings.org> (Gregory Heytings's message of "Wed, 03 Nov 2021 00:28:54 +0000") Received-SPF: pass client-ip=132.204.25.50; envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:278551 Archived-At: > Given that the vulnerability is limited to source code, in which AFAIU > there's no legitimate use of such characters, would the following not > be enough? I'm pretty sure there are legitimate uses of such characters in source code. Maybe there are significant parts of the world where this is extremely rare, but we shouldn't generalize too quickly. Stefan