|
From: | Gregory Heytings |
Subject: | Re: Unicode confusables and reordering characters considered harmful |
Date: | Wed, 03 Nov 2021 00:28:54 +0000 |
But that's the core of the vulnerability: if you just look at the screen (and just scroll through it) you will have an incorrect understanding of what the code does.It's good that such bidi override chars are displayed as a thin space, but it's mostly useful to make it possible to edit them (or to `C-x =` on them), but I don't think it makes a significant different in terms of the security issues introduced by the presence of those chars in the code.
Given that the vulnerability is limited to source code, in which AFAIU there's no legitimate use of such characters, would the following not be enough?
(defun make-bidi-reordering-characters-apparent () (setq buffer-display-table (make-display-table)) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (aset buffer-display-table ? [?⭤]) (font-lock-add-keywords nil '(("⭤" . 'font-lock-warning-face)))) (add-hook 'prog-mode-hook #'make-bidi-reordering-characters-apparent)
[Prev in Thread] | Current Thread | [Next in Thread] |