[ovs-dev] [PATCH v3] checkpatch: Detect "trojan source" attack
Gaëtan Rivet
grive at u256.net
Mon Nov 22 16:06:26 UTC 2021
On Thu, Nov 18, 2021, at 16:45, Mike Pattrick wrote:
> Recently there has been a lot of press about the "trojan source" attack,
> where Unicode characters are used to obfuscate the true functionality of
> code. This attack didn't effect OVS, but adding the check here will help
> guard against it sneaking in later.
>
> Signed-off-by: Mike Pattrick <mkp at redhat.com>
> ---
> Changes in v2:
> - Now all unicode characters will result in an error.
>
> Changes in v3:
> - Added a test to validate behavior
>
> Signed-off-by: Mike Pattrick <mkp at redhat.com>
Hello Mike,
Thanks for the test, it's useful.
I think the regex pattern might have expressed its intent
in a clearer way[1], but this is really a nit. I'm not even
fully convinced the alternative reads better, it's just that
the intent of 'covering all printable ascii' is understood only
by knowing the ascii values of ' ' and '~'.
But this is a nit, and the intent is conveyed by the variable name
anyway.
Acked-by: Gaetan Rivet <grive at u256.net>
[1]: by replacing '[^ -~\t]' by '[^\u0020-\u007e\t]',
or even '[^\u0000-\u007f]' for a strict/dumb 'non-ascii' definition.
Best regards,
--
Gaetan Rivet
More information about the dev
mailing list