Skip to content

Disallow isolate Unicode characters in comments and strings #13936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cameel opened this issue Feb 6, 2023 · 4 comments
Open

Disallow isolate Unicode characters in comments and strings #13936

cameel opened this issue Feb 6, 2023 · 4 comments
Labels
breaking change ⚠️ bug 🐛 low effort There is not much implementation work to be done. The task is very easy or tiny. medium impact Default level of impact must have eventually Something we consider essential but not enough to prevent us from releasing Solidity 1.0 without it.
Milestone
0.9.0

Comments

@cameel
Copy link
Member

cameel commented Feb 6, 2023

Part of #10254.

Description

As shown in Security advisory for rustc (CVE-2021-42574), the isolate Unicode characters (LRI, RLI, FSI, PDI) can be used to take bit of text out of context and show it at the beginning or end of the line. We should disallow them to prevent this.

We have already disallowed unbalanced BiDi embedding/override characters in #10326. This is unfortunately not effective against the trick described here.

See How to use Unicode controls for bidi text for details on how these characters work.
@cameel cameel added breaking change ⚠️ low effort There is not much implementation work to be done. The task is very easy or tiny. medium impact Default level of impact should have We like the idea but it’s not important enough to be a part of the roadmap. labels Feb 6, 2023
@cameel cameel mentioned this issue Feb 6, 2023
Closed
@cameel cameel removed the should have We like the idea but it’s not important enough to be a part of the roadmap. label Feb 6, 2023
@cameel
Copy link
Member Author

cameel commented Feb 6, 2023

Actually, we need to consider whether just going for #10607 is not a better solution than playing whack-a-mole with individual Unicode characters.

@github-actions
Copy link

github-actions bot commented May 8, 2023

This issue has been marked as stale due to inactivity for the last 90 days.
It will be automatically closed in 7 days.

@github-actions github-actions bot added the stale The issue/PR was marked as stale because it has been open for too long. label May 8, 2023
@github-actions
Copy link

Hi everyone! This issue has been automatically closed due to inactivity.
If you think this issue is still relevant in the latest Solidity version and you have something to contribute, feel free to reopen.
However, unless the issue is a concrete proposal that can be implemented, we recommend starting a language discussion on the forum instead.

@github-actions github-actions bot added the closed due inactivity The issue/PR was automatically closed due to inactivity. label May 15, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 15, 2023
@ekpyron ekpyron reopened this May 15, 2023
@ekpyron ekpyron added must have eventually Something we consider essential but not enough to prevent us from releasing Solidity 1.0 without it. and removed closed due inactivity The issue/PR was automatically closed due to inactivity. stale The issue/PR was marked as stale because it has been open for too long. labels May 15, 2023
@ekpyron
Copy link
Member

ekpyron commented May 15, 2023

Keeping this open, since this is not going away - even though in practice we may fix it via #10607

@ekpyron ekpyron added this to the 0.9.0 milestone Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change ⚠️ bug 🐛 low effort There is not much implementation work to be done. The task is very easy or tiny. medium impact Default level of impact must have eventually Something we consider essential but not enough to prevent us from releasing Solidity 1.0 without it.
Projects
None yet
Milestone
0.9.0
Development

No branches or pull requests
2 participants
@cameel @ekpyron