Greetings,
> Now what happens? where do you go from there to a vunerability or backdoor? I think it might be a bit obvious that there is something funny going on if I see: if (user.admin == "root" and check_password_securely() or user.admin == "root" # Second string has hidden characters, do not remove it. ): elevate_privileges() Well, it's not so obvious. From Ross Anderson and Nicholas Boucher src: https://trojansource.codes/trojan-source.pdf See appendix H. for Python. with implementations: https://github.com/nickboucher/trojan-source/tree/main/Python Rely precisely on bidirectional control chars and/or replacing look alikes > There is no reason why linters and code checkers shouldn't check for invisible characters, Unicode confusables or mixed script identifiers and flag them. The interpreter shouldn't concern itself with such purely stylistic issues unless there is a concrete threat that can only be handled by the interpreter itself. I mean current linters. But it will be good to check those for sure. As a programmer, i don't want a language which bans unicode stuffs. If there's something that should be fixed, it's the unicode standard, maybe defining a sane mode where weird unicode stuffs are not allowed. Can also be from language side in the event where it's not being considered in the standard itself. I don't see it as a language fault nor as a client fault as they are considering the unicode docs but the response was mixed with some languages decided to patch it from their side, some linters implementing detection for it as well as some editors flagging it and rendering it as the exploit intended. Kind Regards, Abdur-Rahmaan Janhangeer about <https://compileralchemy.github.io/> | blog <https://www.pythonkitchen.com> github <https://github.com/Abdur-RahmaanJ> Mauritius
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/I43MI4QYEERGEKX6YX6NCHCZTUAFWY4X/ Code of Conduct: http://python.org/psf/codeofconduct/