On Tue, Nov 2, 2021, at 19:43, Mike Pattrick wrote: > Recently there has been a lot of press about the "trojan source" attack, > where Unicode characters are used to obfuscate the true functionality of > code. This attack didn't effect OVS, but adding the check here will help > guard against it sneaking in later. > > Signed-off-by: Mike Pattrick <[email protected]>
Hi, What did you base the selection of characters to blacklist on? Reading issues open on other languages, I haven't found a good comprehensive set of characters that would need to be blacklisted. I'm not sure it is a sufficient approach: getting creative and circumventing this kind of blacklist would be a sport. Instead, shouldn't we take the reverse approach and whitelist single-byte chars? (warn on multi-byte unicode sequence). It would be sufficient for the vast majority of C sources (and scripts). If there are exceptions, at least checkpatch would still show a warning about the introduced characters and they could be reviewed on a case-by-case basis. The idea is only to make invisible chars visible to reviewers. WDYT? -- Gaetan Rivet _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
