oss-sec mailing list archives

Re: Trojan Source Attacks

From: Stuart D Gathman <stuart () gathman org>
Date: Tue, 2 Nov 2021 16:43:48 -0400 (EDT)

That's because unicode rendering is a UI element and calling compilers
"impacted" is misunderstanding the issue.  There's scope for adding
new diagnostics to square with UI representation of unicode, but
that's at best an optional warning and it may not even be feasible in
all cases.  A comprehensive language aware CI lint check is perhaps
more suitable but if such a check devolves into "7-bit ascii only
allowed" for all cases then we've regressed.


Bingo.  For many current languages, unicode is supported in string

constants and comments only - so syntax coloring should highlightanything beyond 7 or 8-bit outside of those elements.


Some support unicode variable/function names, and again syntax coloring
should be able to highlight sequences that cross word boundaries.

Having some sample source files to test your code editor/viewer on would be
helpful.

Current thread:

Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
  - Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
    - Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
    - Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
    - Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
    - Re: Trojan Source Attacks Seth Arnold (Nov 02)
  - Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
  - Re: Trojan Source Attacks Josh Bressers (Nov 02)
    - Re: Trojan Source Attacks David A. Wheeler (Nov 02)
    - Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Georgi Guninski (Nov 04)
  - Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)