Re: Unicode confusables and reordering characters considered harmful

[tomas]

On Wed, Nov 03, 2021 at 08:20:01AM -0400, Stefan Monnier wrote:
> > AFAIK, these specific characters are not necessary to write comments and
> >  strings in these languages.  Here are two random file which use RTL strings
> > and comments, and in which these characters are not used:
> 
> I was more worried about the fact that, while highlighting those chars
> might be helpful to warn about accidental uses of them, if attackers
> want to trick the reader, I'm pretty sure they can get similar results
> without having to use those special LTR/RTL override chars:
> 
>     int hi = 5;
>     int שָׁלוֹם = hi;
>     int hello = 10;
>     int السّلامعليك = hello;
>     myfun(שָׁלוֹם ,السّلامعليكم)
> 
> There's no override here, but did I call `myfun` with args 5 and 10 or
> did I call it with args 10 and 5?
> 
> [ OK, admittedly, for a bidi-idiot like me, it looks like neither since
>   the Arabic shaping of the two occurrences of the identifier actually look
>   different (and I truly have no clue why that is here), so I'm lead to
>   believe that the second is a reference to a non-existing
>   variable ;-)  ]

Most probably, yes. The second instance had one letter more, the "mim" (م)
at the end (which, for some funny reason, seems to have evaporated when my
mailer quoted your message: in the above quote, they now /look/ equal,
although when I copy/paste them, the mim re-appears. Go figure).

As a full disclosure, I have to admit that I'm using mutt with vim as an
editor (gah! :), so I chalk that up to differences between the viewer and
the editor: it seems vim just hides that one).

But you raise an interesting point: in an R to L stretch, is the order
of the arguments also R to L, or L to R?

Cheers
 - t

signature.asc
Description: Digital signature