<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 1 Nov 2021 16:10:02 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
+ ('\u{202A}', ""), // The following unicode text flow control characters are inconsistently
+ ('\u{202B}', ""), // supported accross CLIs and can cause confusion due to the bytes on disk
+ ('\u{202D}', ""), // not corresponding to the visible source code, so we replace them always.
+ ('\u{202E}', ""),
+ ('\u{2066}', ""),
+ ('\u{2067}', ""),
+ ('\u{2068}', ""),
+ ('\u{202C}', ""),
+ ('\u{2069}', ""),
Is it intentional that (here and elsewhere in the patch) they didn't
include all the characters with the Bidi_Control property?
$ grep -w Bidi_Control /usr/share/unicode/PropList.txt
061C ; Bidi_Control # Cf ARABIC LETTER MARK
200E..200F ; Bidi_Control # Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
202A..202E ; Bidi_Control # Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
2066..2069 ; Bidi_Control # Cf [4] LEFT-TO-RIGHT ISOLATE..POP DIRECTIONAL ISOLATE
So U+061C, U+200E and U+200F appear to be missing from the patch.
--
Jakub Wilk
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Pietro Albini (Oct 31)
Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Jakub Wilk (Nov 01)
Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Dave Horsfall (Nov 01)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->