Cov kws tshawb fawb los ntawm University of Cambridge tau tshaj tawm ib txoj kev rau kev ntxig cov lej phem rau hauv cov lej qhov chaw uas tau tshuaj xyuas los ntawm cov phooj ywg. Txoj kev tawm tsam (CVE-2021-42574), hu ua Trojan Source, yog raws li kev tsim cov ntawv uas zoo li txawv ntawm tus compiler / interpreter thiab rau tus neeg tshuaj xyuas tib neeg. Piv txwv ntawm daim ntawv thov txoj kev tau ua pov thawj rau ntau yam compilers thiab interpreters muaj rau C, C ++ (gcc thiab clang), C #, JavaScript (Node.js), Java (OpenJDK 16), Rust, Go, thiab Python.
Txoj kev no yog raws li kev siv cov cim Unicode tshwj xeeb hauv cov lus tawm tswv yim uas hloov qhov kev tso saib ntawm cov ntawv nyeem ob txoj kev. Cov cim tswj no tso cai rau qee qhov ntawm cov ntawv nyeem kom pom sab laug-rau-sab xis, thaum lwm qhov pom sab xis-rau-sab laug. Hauv kev xyaum txhua hnub, cov cim tswj no tuaj yeem siv, piv txwv li, los ntxig cov hlua Hebrew lossis Arabic rau hauv cov ntaub ntawv code. Txawm li cas los xij, yog tias cov hlua nrog cov lus qhia sib txawv raug muab tso ua ke hauv ib kab siv cov cim no, cov ntu ntawv sab xis-rau-sab laug tuaj yeem sib tshooj cov ntawv nyeem ib txwm muaj sab laug-rau-sab xis.
Siv txoj kev no, ib qho kev tsim kho phem tuaj yeem raug ntxig rau hauv cov lej, tab sis cov ntawv nyeem uas muaj cov kev tsim kho no tuaj yeem ua kom tsis pom los ntawm kev ntxiv cov cim sab xis mus rau sab laug rau cov lus tawm tswv yim tom qab lossis hauv cov lus, ua rau cov cim sib txawv kiag li uas sib tshooj nrog cov lus ntxig phem. Cov lej no yuav tseem yog qhov tseeb, tab sis yuav raug txhais thiab tso tawm txawv.
Thaum lub sijhawm tshuaj xyuas cov lej, tus tsim tawm yuav ntsib nrog qhov kev txiav txim pom ntawm cov cim thiab pom cov lus tawm tswv yim tsis muaj teeb meem hauv cov ntawv nyeem niaj hnub, lub vev xaib interface, lossis IDE. Txawm li cas los xij, tus compiler thiab tus txhais lus yuav siv qhov kev txiav txim cim logical thiab ua cov lus tso dag raws li nws yog, tsis quav ntsej cov ntawv nyeem bidirectional hauv cov lus tawm tswv yim. Qhov teeb meem no cuam tshuam rau ntau yam kev kho cov lej nrov (VS Code, Emacs, Atom), nrog rau cov interfaces rau kev saib cov lej hauv cov chaw khaws cia (GitHub, Gitlab, BitBucket, thiab txhua yam khoom Atlassian).
Muaj ntau txoj hauv kev los siv txoj kev no los ua cov kev ua phem: ntxiv cov lus "rov qab" uas ua rau lub luag haujlwm xaus ua ntej lub sijhawm; tawm tswv yim tawm cov lus uas feem ntau pom tau tias yog cov qauv siv tau (piv txwv li, kom lov tes taw cov kev kuaj xyuas tseem ceeb); muab lwm cov nqi hlua uas ua rau cov hlua tsis ua haujlwm.
Piv txwv li, tus neeg tawm tsam yuav hais kom hloov pauv uas suav nrog kab: yog tias access_level != "user{U+202E} {U+2066}// Xyuas seb admin{U+2069} {U+2066}" {
uas yuav tshwm sim hauv qhov kev tshuaj xyuas interface zoo li yog access_level != "user" {// Tshawb xyuas seb puas yog admin
Muaj lwm qhov kev tawm tsam uas siv homoglyphs (CVE-2021-42694) tau raug tshaj tawm, uas yog siv cov cim zoo sib xws - cov cim uas zoo sib xws tab sis muaj lub ntsiab lus sib txawv thiab cov lej Unicode sib txawv (piv txwv li, lub cim "ɑ" zoo li "a," "ɡ" zoo li "g," thiab "ɩ" zoo li "l"). Cov cim no siv tau rau qee hom lus hauv cov npe ua haujlwm thiab cov npe hloov pauv kom ntxias cov neeg tsim khoom. Piv txwv li, ob lub luag haujlwm nrog cov npe tsis sib xws uas ua cov haujlwm sib txawv yuav raug txhais. Yog tsis muaj kev tshuaj xyuas ntxaws ntxaws, nws tsis meej tam sim ntawd tias ob lub luag haujlwm twg raug hu rau ntawm qhov chaw tshwj xeeb.
Ua ib qho kev ntsuas kev ruaj ntseg, nws raug pom zoo kom cov compilers, interpreters, thiab cov cuab yeej tsim uas txhawb nqa Unicode cov cim tsim qhov yuam kev lossis ceeb toom thaum cov lus tawm tswv yim, cov ntawv sau, lossis cov cim qhia muaj cov cim tswj tsis sib txuas uas hloov qhov kev taw qhia tso zis (U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C, U+200E, thiab U+200F). Cov cim zoo li no kuj yuav tsum raug txwv tsis pub ua hauv cov lus qhia txog kev sau cov lus thiab coj mus rau hauv tus account hauv cov code editors thiab repository interfaces.
Hloov Tshiab 1: Cov kho kom daws qhov teeb meem tsis zoo tau npaj rau GCC, LLVM/Clang, Rust, Go, Python, thiab binutils. GitHub, Bitbucket, thiab Jira kuj tau kho qhov teeb meem no. Kev kho rau GitLab tab tom npaj. Txhawm rau txheeb xyuas cov lej teeb meem, nws raug pom zoo kom siv cov lus txib: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]' /path/to/source
Ntxiv 2: Russ Cox, ib tug ntawm cov neeg tsim khoom ntawm Plan 9 OS thiab Go programming language, tau thuam qhov kev saib xyuas ntau dhau rau txoj kev tawm tsam uas tau piav qhia, uas tau paub ntev lawm (hauv Go, Rust, C++, Ruby) thiab tau raug tso tseg. Raws li Cox, qhov teeb meem feem ntau yog hais txog kev tso saib cov ntaub ntawv kom raug hauv cov code editors thiab web interfaces, thiab tuaj yeem daws tau los ntawm kev siv cov cuab yeej tsim nyog thiab cov code analyzers thaum lub sijhawm tshuaj xyuas. Yog li ntawd, es tsis txhob kos kev saib xyuas rau kev tawm tsam speculative, nws yuav tsim nyog dua los tsom mus rau kev txhim kho cov code thiab cov txheej txheem tshuaj xyuas kev vam khom.
Russ Cox kuj ntseeg tias cov compilers tsis yog qhov chaw zoo los daws qhov teeb meem, vim tias kev kaw cov cim txaus ntshai ntawm qib compiler tso ntau yam cuab yeej uas kev siv cov cim no tseem raug tso cai, xws li cov txheej txheem tsim, cov neeg sib dhos, cov thawj tswj pob khoom, thiab ntau yam kev teeb tsa thiab cov ntaub ntawv parsers. Piv txwv li, qhov project Rust, uas tsis pub LTR / RTL code ua tiav hauv compiler tab sis tsis tau ua tiav kev kho rau Cargo pob manager, tso cai rau kev tawm tsam zoo sib xws ntawm cov ntaub ntawv Cargo.toml. Ib yam li ntawd, cov ntaub ntawv xws li BUILD.bazel, CMakefile, Cargo.toml, Dockerfile, GNUmakefile, Makefile, go.mod, package.json, pom.xml, thiab requirements.txt tuaj yeem dhau los ua qhov chaw tawm tsam.
Tau qhov twg los: opennet.ru
