SoylentNews is people
SoylentNews
Brian Krebs reports today on the biggest global information security freak-out since Heartbleed (2014). Or not -- I'm not sure.
Virtually all compilers -- programs that transform human-readable source code into computer-executable machine code -- are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.
TL/DR: Because of Unicode string processing in all editors and compilers, and specifically how RTL [Right-to-Left][*] and LTR [Left-to-Right][*] control codes are supposed to affect the ordering of all characters regardless of whether or not they belong to an LTR language... Any source code processed by a Unicode-aware compiler is subject to hidden meaning where what's rendered in your editor or terminal is not what is actually read by the compiler. Re-ordering the display of characters in a block of code can change the meaning of comparison statements, string or number constants, and comments.
Krebs cites a paper (PDF) from researchers at the University of Cambridge, which contains some nifty code examples including changing "User is not in Admin group" to render as logic for "User is in Admin group" in every source control tool or editor you might use. This sort of supply chain attack can be inserted by anyone with commit access to the code you use from upstream sources -- disgruntled employees, open source contributors; virtually all software you use now could be a target.
Is this the end of the world, or just another Monday?
This post was written in pure ASCII, just to be safe.
[*] https://en.wikipedia.org/wiki/Right-to-left_mark.
(Score: 2) by PiMuNu on Tuesday November 02 2021, @01:39PM (3 children)
Fair point, but every sane programmer I have seen since the 1980s uses indentation to delineate different levels of conditional/loop. So it is not too bad to make it a requirement of the language (or whenever fortran abandoned 7 white spaces with column 3 for comments). The only bad thing is that they let folks use tab indentation (which is a crime against humanity).
(Score: 1, Touché) by Anonymous Coward on Tuesday November 02 2021, @01:44PM (1 child)
(Score: 2) by PiMuNu on Wednesday November 03 2021, @11:23AM
Saves space in the source file.
Laughs.
(Score: 1) by shrewdsheep on Wednesday November 03 2021, @10:37AM
I am solidly in the tab-using camp using it for all languages including python. I used to be derogatory about the python white space handling but I have gotten over it some time ago. All languages have deep flaws and the lack of insight of the designers into certain aspects are showing blatantly. Use the right language for the task, write clear code and let other bicker about white space.
What I have not seen in text editors but could help in these discussions is a way to reformat coding styles on the fly, i.e. re-format into your preferred style on loading and save into another style. This is not trivial as full parsing would be required but doable IMO.