emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unicode confusables and reordering characters considered harmful


From: Gregory Heytings
Subject: Re: Unicode confusables and reordering characters considered harmful
Date: Wed, 03 Nov 2021 00:28:54 +0000



But that's the core of the vulnerability: if you just look at the screen (and just scroll through it) you will have an incorrect understanding of what the code does.

It's good that such bidi override chars are displayed as a thin space, but it's mostly useful to make it possible to edit them (or to `C-x =` on them), but I don't think it makes a significant different in terms of the security issues introduced by the presence of those chars in the code.


Given that the vulnerability is limited to source code, in which AFAIU there's no legitimate use of such characters, would the following not be enough?

(defun make-bidi-reordering-characters-apparent ()
  (setq buffer-display-table (make-display-table))
  (aset buffer-display-table ?‪ [?⭤])
  (aset buffer-display-table ?‫ [?⭤])
  (aset buffer-display-table ?‭ [?⭤])
  (aset buffer-display-table ?‮ [?⭤])
  (aset buffer-display-table ?⁦ [?⭤])
  (aset buffer-display-table ?⁧ [?⭤])
  (aset buffer-display-table ?⁨ [?⭤])
  (aset buffer-display-table ?‬ [?⭤])
  (aset buffer-display-table ?⁩ [?⭤])
  (font-lock-add-keywords nil '(("⭤" . 'font-lock-warning-face))))

(add-hook 'prog-mode-hook #'make-bidi-reordering-characters-apparent)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]