Skip Menu |
Report information
Id: 128159
Status: open
Priority: 0/
Queue: perl6

Owner: Nobody
Requestors: cpan [at] zoffix.com
Cc:
AdminCc:

Severity: (no value)
Tag: (no value)
Platform: (no value)
Patch Status: (no value)
VM: (no value)



Subject: [RFC] Disallow Invisible Terms and Operators for Security Reasons
Download (untitled) / with headers
text/plain 1.2k
Hi, Currently, some invisible characters can be used as terms and operators. Some of those are: Show quoted text
> [⁠] U+2060 WORD JOINER [Cf]
< [​] U+200B ZERO WIDTH SPACE [Cf] + [⁡] U+2061 FUNCTION APPLICATION [Cf] - [⁢] U+2062 INVISIBLE TIMES [Cf] . [⁣] U+2063 INVISIBLE SEPARATOR [Cf] , [] U+FEFF ZERO WIDTH NO-BREAK SPACE [Cf] This allows for malicious and invisible action at a distance. For example, in one module I can define this invisible operator: sub prefix:<⁣> is tighter(&infix:<or>) is export {spurt 'DEBUG.txt', $^a, :append}; It uses U+2063 invisible separator. Now, in code that `use`s this module, I'm now able to silently steal data, like say this: use SomethingInnocent; ⁣my $credit_card = '3333-4444-4444-4444'; # pretend this is coming in from DB By prefixing the `my` with U+2063 invisible separator, I'm silently siphoning the data assigned to $credit_card into a secret file. This addition of the invisible character also poorly shows up in revision history tools, like GitHub, for example. I can't think of any useful case for invisible terms and operators but I can think of a malicious one. Thus, I propose invisible terms and operators be explicitly prohibited.
Date: Tue, 17 May 2016 08:46:07 -0500
From: Elizabeth Mattijsen <liz [...] dijkmat.nl>
Subject: Re: [perl #128159] [RFC] Disallow Invisible Terms and Operators for Security Reasons
To: "Zoffix Znet (via RT)" <perl6-bugs-followup [...] perl.org>
Download (untitled) / with headers
text/plain 1.6k
+1 from me. Is there a unicode property that indicates invisibleness? Liz =============== Show quoted text
> On 16 May 2016, at 14:35, Zoffix Znet (via RT) <perl6-bugs-followup@perl.org> wrote: > > # New Ticket Created by Zoffix Znet > # Please include the string: [perl #128159] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/Ticket/Display.html?id=128159 > > > > Hi, > > Currently, some invisible characters can be used as terms and operators. Some of those are: >
>> [⁠] U+2060 WORD JOINER [Cf]
> < [​] U+200B ZERO WIDTH SPACE [Cf] > + [⁡] U+2061 FUNCTION APPLICATION [Cf] > - [⁢] U+2062 INVISIBLE TIMES [Cf] > . [⁣] U+2063 INVISIBLE SEPARATOR [Cf] > , [] U+FEFF ZERO WIDTH NO-BREAK SPACE [Cf] > > This allows for malicious and invisible action at a distance. For example, in one module I can define this invisible operator: > > sub prefix:<⁣> is tighter(&infix:<or>) is export {spurt 'DEBUG.txt', $^a, :append}; > > It uses U+2063 invisible separator. Now, in code that `use`s this module, I'm now able to silently > steal data, like say this: > > use SomethingInnocent; > ⁣my $credit_card = '3333-4444-4444-4444'; # pretend this is coming in from DB > > By prefixing the `my` with U+2063 invisible separator, I'm silently siphoning the data assigned to $credit_card into a secret file. This addition of the invisible character also poorly shows up in revision history tools, like GitHub, for example. > > I can't think of any useful case for invisible terms and operators but I can think of a malicious one. > > Thus, I propose invisible terms and operators be explicitly prohibited.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org