From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Unicode confusables and reordering characters considered harmful
Date: Tue, 02 Nov 2021 21:07:05 -0400
Message-ID: <jwv4k8ucap5.fsf-monnier+emacs@gnu.org>
References: <YYE1sEv6yS1bBUcu@odonien.localdomain> <875ytag0hb.fsf@yahoo.com>
 <87zgqmd5np.fsf@mat.ucm.es> <83wnlqk3rn.fsf@gnu.org>
 <72dd5c2a-42c7-b12e-05ed-e93adbd89727@gmail.com>
 <83ilxajyhw.fsf@gnu.org>
 <CADwFkm=PHvBiU1Xp6_ibqR1nmxj3YgytV3Jz6=hdOKfFCmTCwg@mail.gmail.com>
 <83fssejxf8.fsf@gnu.org>
 <CADwFkmmtTb9ztSFsEZdS8PJH0AjODVvzg37Dpp-Qk=D+CGjC0Q@mail.gmail.com>
 <835ytajsv2.fsf@gnu.org> <jwva6imqsqs.fsf-monnier+emacs@gnu.org>
 <11d5fecb44af1d388b7f@heytings.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="34925"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
Cc: Eli Zaretskii <eliz@gnu.org>,  Stefan Kangas <stefan@marxist.se>,
 cpitclaudel@gmail.com,  emacs-devel@gnu.org
To: Gregory Heytings <gregory@heytings.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 03 02:09:30 2021
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1mi4mP-0008uh-JH
	for ged-emacs-devel@m.gmane-mx.org; Wed, 03 Nov 2021 02:09:29 +0100
Original-Received: from localhost ([::1]:43212 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1mi4mO-0008GV-NF
	for ged-emacs-devel@m.gmane-mx.org; Tue, 02 Nov 2021 21:09:28 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43672)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1mi4kL-0006Mb-WD
 for emacs-devel@gnu.org; Tue, 02 Nov 2021 21:07:22 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:13363)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1mi4kI-0002lt-5a; Tue, 02 Nov 2021 21:07:19 -0400
Original-Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id E248F10038E;
 Tue,  2 Nov 2021 21:07:14 -0400 (EDT)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 4C8C9100136;
 Tue,  2 Nov 2021 21:07:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1635901633;
 bh=79rr5CaKZLmjFG7aNaXgkfR0ei8GL7BFtLQ6TpO3kUc=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=k/oPddJX8N3mGgnEycKBAdht/Lgu4ELplygf2hY4GJOLo9m/WzN3Mu32VLpwPXB+x
 bK0cYOYBq9aAS62gTlebNoPb0i5SfVdzU9YRxdkitWRUpVz1jL9ude8N82ULSz4uQ7
 s+4R9pUtZEqcjy5jcHX9zB0vZOvi3Fspr4LVkoaULCkPHTpG40hXEHW/0MF3/gUvXj
 MI1VlY0AmAS+iNXY842Qb9gDq6SHgKKXqKg60YFu4BjyO4hRS2CtCDoVBaKxPajx7b
 onU3iBQAESXKJoi2droI+bMQVwy34U0MMZKu1P9ppZzwSifWOYXFh0tv9z5Jfy3jZG
 nmZB/q7N6FO5g==
Original-Received: from ceviche (unknown [45.72.241.23])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id E812012030A;
 Tue,  2 Nov 2021 21:07:12 -0400 (EDT)
In-Reply-To: <11d5fecb44af1d388b7f@heytings.org> (Gregory Heytings's message
 of "Wed, 03 Nov 2021 00:28:54 +0000")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:278551
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/278551>

> Given that the vulnerability is limited to source code, in which AFAIU
> there's no legitimate use of such characters, would the following not
> be enough?

I'm pretty sure there are legitimate uses of such characters in source code.
Maybe there are significant parts of the world where this is extremely rare,
but we shouldn't generalize too quickly.


        Stefan