On 11/22/21 17:06, Gaëtan Rivet wrote: > On Thu, Nov 18, 2021, at 16:45, Mike Pattrick wrote: >> Recently there has been a lot of press about the "trojan source" attack, >> where Unicode characters are used to obfuscate the true functionality of >> code. This attack didn't effect OVS, but adding the check here will help >> guard against it sneaking in later. >> >> Signed-off-by: Mike Pattrick <[email protected]> >> --- >> Changes in v2: >> - Now all unicode characters will result in an error. >> >> Changes in v3: >> - Added a test to validate behavior >> >> Signed-off-by: Mike Pattrick <[email protected]> > > Hello Mike, > > Thanks for the test, it's useful. > I think the regex pattern might have expressed its intent > in a clearer way[1], but this is really a nit. I'm not even > fully convinced the alternative reads better, it's just that > the intent of 'covering all printable ascii' is understood only > by knowing the ascii values of ' ' and '~'. > > But this is a nit, and the intent is conveyed by the variable name > anyway. > > Acked-by: Gaetan Rivet <[email protected]> > > [1]: by replacing '[^ -~\t]' by '[^\u0020-\u007e\t]', > or even '[^\u0000-\u007f]' for a strict/dumb 'non-ascii' definition.
I'd vote for '[^\u0000-\u007f]' if that works. It's much easier to read than '[^ -~\t]'. Or even '[^\x00-\x7f]', if possible. Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
