[squeak-dev] The Inbox: Compiler-ct.473.mcz
Tobias Pape
Das.Linux at gmx.de
Fri May 6 07:20:15 UTC 2022
> On 6. May 2022, at 07:38, Lauren Pullen <drurowin at gmail.com> wrote:
>
> Hi Christoph,
>
> On 5/5/22 19:08, Thiede, Christoph wrote:
>> While we are talking about special characters in source code already, would Compiler-ct.462 be a good merge candidate as well? It detects and warns about Trojan Source attacks<https://trojansource.codes/>. :-)
> +1 for forcing interactive override
>
> Even if Squeak doesn't interpret Bidi control codes for display today,
> we should still catch their potential abuse for tomorrow.
>
> I'd not heard of the abuse potential with the Bidi control codes... ...
> I was surprised to learn how flexible they were, especially with nesting
> Isolates to flip entire chunks of text. I thought they'd written text
> under erasure.
>
> -1 for noise potential
>
> If it comes up too frequently, users will become complacent*. This
> would put the users who work with Bidi text the most at the most risk.
>
> I think it would be better to add it as a postcondition to tokenization:
> 'a single token will revert text direction if it changes it'. It should
> be okay to compile things like
>
> doThing: אוסף
> "Operate on the אוסף"
> אוסף do: [:ea | ea thingToDo]
>
> without complaint since each token sets LTR for every RTL, but starting
> RTL outside a comment then putting the ending LTR in a comment is fishy.
That's a very good stance!
But if we are not careful, that get complex quickly.
Is אוסף2 ok? should the 2 go after the token? (note that these hebrew characters do not even contain RTL/LTR markers)
Best regards
-Tobias
>
> * A coworker one day said they installed a virus on their computer the
> night before because they ignored the SSL validation failure message
> because the websites they go to often fail it, and then proceeded to
> ignore the built in antivirus check because it always complains, and
> then ignored the Windows UAC message saying it wasn't produced by the
> intended vendor because companies frequently use names unknown to the
> normal consumer. It's important to note this coworker was my direct
> supervisor, whose job involves paying attention to details to see how
> much of a merit raise to give me. The irony was not lost on them.
> <trojanSourceLiterals.txt.png>
More information about the Squeak-dev
mailing list
|