<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">IMO, trying to restrict allowed operator characters based on their visual similarity to other characters is folly. The unicode representation of a character is an independent thing from its visual representation.<div class=""><br class=""></div><div class="">Because, ideally, I’d love to be able to do:</div><div class=""><br class=""></div><div class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">infix operator and: LogicalConjunctionPrecedence // or whatever the precedence is called</span></font></div><div class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">func and(lhs: Bool, rhs: Bool) → Bool { return lhs && rhs }</span></font></div><div class=""><font face="Menlo" class=""><span style="font-size: 11px;" class=""><br class=""></span></font></div><div class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">let truthyValue = true and false</span></font></div><div class=""><br class=""></div><div class="">That would make teaching simple predicate calculus much simpler. :)</div><div class=""><br class=""></div><div class="">Dave<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 3, 2017, at 10:43 AM, Félix Cloutier via swift-evolution <<a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" class=""><div class=""><br class="Apple-interchange-newline">Le 2 oct. 2017 à 21:40, Chris Lattner <<a href="mailto:clattner@nondot.org" class="">clattner@nondot.org</a>> a écrit :</div><div class=""><div class=""><br class=""><blockquote type="cite" class="">On Oct 2, 2017, at 1:13 AM, Félix Cloutier via swift-evolution <<a href="mailto:swift-evolution@swift.org" class="">swift-evolution@swift.org</a>> wrote:<br class=""><br class="">If you tried hard enough, you could probably create a variable that looks like it's shadowing one from an outer scope while it actually isn't, and use the two to confuse readers. This could trick people into thinking that some dangerous/backdoor code is actually good and safe, especially in the open-source world where you can't always trust your contributors.<br class=""><br class="">On one hand, other than the complexity of telling if two characters are lookalikes, I don't know why Αrray (GREEK CAPITAL LETTER ALPHA) and Array (LATIN CAPITAL LETTER A) should be considered different identifiers. On the other hand, I struggle to imagine the specifics of an exploit that uses that. You'd have to work pretty hard to assemble all the pieces of a backdoor in visually-similar variable names without arousing suspicion.<br class=""></blockquote><br class="">I don’t think this is something we have to try hard to avoid. It is true that some characters look similar, particularly in some fonts, but this isn’t new:<br class=""><br class=""> let a1 = 42<br class=""> let al = 12<br class=""> let b = al + a1<span class="Apple-converted-space"> </span><br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">There is a fundamental difference between similar characters and characters that are meant to be visually identical. People judge the quality of a font by its Unicode support, and that means that only "low-quality" fonts would render, say, LATIN CAPITAL LETTER T and GREEK CAPITAL LETTER TAU differently.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">If there were real code that was maliciously shadowing to try to cause confusion, then you have a more serious problem on your hands than someone accidentally misunderstanding which one to use.<br class=""></div></div></blockquote><div class=""><br class=""></div>I'm not sure I understand. If the "more serious problem" you're talking about is that your popular project is a valuable target to subvert, then there is no question that being backdoored would be more serious than people not reading your code right. I don't see how it pushes the problem out of scope, though.<br class=""><div class=""><br class=""></div><div class="">As a security guy, I take my role of thinking about how anything can be abused very seriously. Backdoored open source projects turn up every now and then.</div><div class=""><br class=""></div><div class="">This code is backdoored. I challenge you to spot the bug:</div><div class=""><br class=""></div><div class=""><div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(253, 246, 227);"><div class="" style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);"><span class="" style="color: rgb(133, 153, 1);">func</span><span class="Apple-converted-space"> </span>shellEscape(<span class="" style="color: rgb(133, 153, 1);">_</span><span class="Apple-converted-space"> </span>args: [<span class="" style="color: rgb(181, 137, 1);">String</span>]) -> [<span class="" style="color: rgb(181, 137, 1);">String</span>]?</div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);"><span class="" style="color: rgb(133, 153, 1);">func</span><span class="Apple-converted-space"> </span>isWhitelisted(<span class="" style="color: rgb(133, 153, 1);">_</span><span class="Apple-converted-space"> </span>tool:<span class="Apple-converted-space"> </span><span class="" style="color: rgb(181, 137, 1);">String</span>) -><span class="Apple-converted-space"> </span><span class="" style="color: rgb(181, 137, 1);">Bool</span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 14px;"><br class=""></div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);"><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;"><span class="" style="color: rgb(133, 153, 1);">func</span><span class="Apple-converted-space"> </span>execute(externalTool:<span class="Apple-converted-space"> </span><span class="" style="color: rgb(181, 137, 1);">String</span>, parameters: [<span class="" style="color: rgb(181, 137, 1);">String</span>]) {</div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;"> <span class="Apple-converted-space"> </span><span class="" style="color: rgb(133, 153, 1);">if</span><span class="Apple-converted-space"> </span><span class="" style="color: rgb(108, 113, 196);">isWhitelisted</span>(externalTool),<span class="Apple-converted-space"> </span><span class="" style="color: rgb(133, 153, 1);">let</span><span class="Apple-converted-space"> </span>pаrameters =<span class="Apple-converted-space"> </span><span class="" style="color: rgb(108, 113, 196);">shellEscape</span>(parameters) {</div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;"> print(<span class="" style="color: rgb(42, 161, 152);">"Running tool<span class="Apple-converted-space"> </span></span>\<span class="" style="color: rgb(42, 161, 152);">(</span>pаrameters[<span class="" style="color: rgb(42, 161, 152);">0</span>]<span class="" style="color: rgb(42, 161, 152);">)"</span>)<span class="" style="color: rgb(42, 161, 152);">"</span></div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;"> system(parameters.joined(separator:<span class="Apple-converted-space"> </span><span class="" style="color: rgb(42, 161, 152);">" "</span>))</div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;"> }</div><div class="" style="margin: 0px; font-stretch: normal; line-height: normal;">}</div></div></div></div><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="">All I’m saying is that we shouldn’t complicate the design to solve this problem (IMO). If it falls out of the solution somehow (e.g. just disallow invisible characters) then that’s great of course!<br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">How did you identify the bug in the snippet from above? Is it practical enough that you would, for instance, recommend that the server group do that test on every PR that they receive going forward?</div><div class=""><br class=""></div><div class="">I think that it's hard to build something meaningful without making it look suspicious. It's already kind of fishy that my shellEscape function returns an Optional, and people will eventually figure out that the parameters are not, in fact, shell-escaped. Still, I feel that it should be recognized that security is more than buffer overflows and integer overflows, and if there ever is an underhanded Swift code contest, that'll be my entry.</div></div><br class="" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div class="" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Félix</div><div class="" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">swift-evolution mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:swift-evolution@swift.org" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">swift-evolution@swift.org</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://lists.swift.org/mailman/listinfo/swift-evolution" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://lists.swift.org/mailman/listinfo/swift-evolution</a></div></blockquote></div><br class=""></div></body></html>