Vatsvagiri kubva kuYunivhesiti yeCambridge vakaburitsa nzira yekuisa chinyararire kodhi ine hutsinye mune-inoongororwa sosi kodhi. Iyo yakagadzirirwa kurwisa nzira (CVE-2021-42574) inounzwa pasi pezita reTrojan Source uye yakavakirwa pakuumbwa kwemavara anotaridzika zvakasiyana kune muunganidzi / muturikiri uye munhu anoona kodhi. Mienzaniso yenzira inoratidzwa kune vakasiyana-siyana vagadziri uye vaturikiri vanopihwa C, C++ (gcc and clang), C#, JavaScript (Node.js), Java (OpenJDK 16), Rust, Go uye Python.
Iyo nzira yakavakirwa pakushandiswa kweakakosha mavara eUnicode mune kodhi makomendi anoshandura kurongeka kwekuratidzira kwebidirectional zvinyorwa. Nekubatsirwa kwemavara akadaro ekudzora, zvimwe zvikamu zvechinyorwa zvinogona kuratidzwa kubva kuruboshwe kuenda kurudyi, nepo vamwe - kubva kurudyi kuenda kuruboshwe. Mukuita kwezuva nezuva, mabhii ekudzora akadaro anogona kushandiswa, somuenzaniso, kuisa mitsetse yekodhi muchiHebheru kana kuti chiArabic mufaira. Asi kana ukabatanidza mitsetse ine mavara akasiyana-siyana mumutsara mumwe chete, uchishandisa mavara akatarwa, ndima dzemavara anotaridzwa kubva kurudyi kuenda kuruboshwe dzinogona kupindirana neagara aripo mavara anoratidzwa kubva kuruboshwe kuenda kurudyi.
Uchishandisa nzira iyi, unogona kuwedzera chivakwa chakashata kune kodhi, asi wobva waita kuti chinyorwa neichi chivakwa chisaonekwe kana uchiona kodhi, nekuwedzera mune inotevera chirevo kana mukati memavara chaiwo anoratidzwa kubva kurudyi kuenda kuruboshwe, izvo zvinozotungamira kune zvizere. mavara akasiyana ari kuiswa pamusoro pekuisa kwakashata. Kodhi yakadaro icharamba yakanyatsojeka, asi ichadudzirwa uye ichiratidzwa zvakasiyana.
Paunenge uchiongorora kodhi, mugadziri achasangana nekuona kurongeka kwevatambi uye achaona chirevo chisingafungidziri mune yemazuva ano text editor, web interface kana IDE, asi mugadziri uye muturikiri achashandisa zvine musoro kurongeka kwevatambi uye achaita. gadzirisa kuisa kwakashata sezvazviri, pasina kuterera kune bidirectional zvinyorwa mumashoko. Dambudziko rinobata akasiyana siyana anozivikanwa macode edhita (VS Code, Emacs, Atom), pamwe nenzvimbo dzekutarisa kodhi mumarepositori (GitHub, Gitlab, BitBucket uye zvese zvigadzirwa zveAtlassian).
Kune nzira dzakawanda dzekushandisa nzira yekushandisa zviito zvakashata: kuwedzera yakavanzika "kudzoka" kutaura, izvo zvinotungamirira pakupedzwa kwebasa mberi kwenguva; kutaura matauriro anowanzo onekwa sezvivakwa zvinoshanda (semuenzaniso, kudzima macheki akakosha); kugovera mamwe tambo tsika dzinotungamira mukukundikana kwekusimbisa tambo.
Semuyenzaniso, munhu anorwisa anogona kuronga shanduko inosanganisira mutsara: kana access_level != "mushandisi{U+202E} {U+2066}// Tarisa uone kana admin{U+2069} {U+2066}" {
iyo icharatidzwa mune yekuongorora interface sekunge access_level != "mushandisi" {// Tarisa kana admin
Pamusoro pezvo, imwe nzira yekurwisa yakatsanangurwa (CVE-2021-42694), yakabatana nekushandiswa kwemahomoglyphs, mavara akafanana nechitarisiko, asi akasiyana muchirevo uye ane macode akasiyana eunicode (semuenzaniso, hunhu "Ι" hwakafanana ne " aβ, βΙ‘β - βgβ, βΙ©β - βlβ). Mavara akafanana anogona kushandiswa mune mimwe mitauro mumazita emabasa uye akasiyana-siyana kutsausa vanogadzira. Semuenzaniso, mabasa maviri ane mazita asinganzwisisiki anogona kutsanangurwa anoita zviito zvakasiyana. Pasina ongororo yakadzama, hazvisi nyore kujeka kuti nderipi pamabasa maviri aya anodaidzwa panzvimbo chaiyo.
Sechiyero chekuchengetedza, zvinokurudzirwa kuti ma compilers, vaturikiri, uye maturusi egungano anotsigira mavara eUnicode aratidze kukanganisa kana yambiro kana paine unpaired control characters mumashoko, tambo literals, kana zviziviso zvinoshandura mafambiro ekubuda (U+202A, U+202B, U +202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C, U+200E neU+200F). Mabhii akadai anofanirwawo kurambidzwa zviripachena mumitsetse yemitauro uye anofanirwa kuremekedzwa mumakodhi edhita uye nzvimbo dzekuchengetedza.
Addendum 1: Zvigamba zvekusagadzikana zvakagadzirirwa GCC, LLVM/Clang, Rust, Go, Python uye binutils. GitHub, Bitbucket naJira vakagadzirisawo nyaya. Kugadziriswa kweGitLab kuri kuitika. Kuti uone kodhi ine dambudziko, zvinokurudzirwa kushandisa rairo: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069\uXNUMX/''. source
Addendum 2: Russ Cox, mumwe wevagadziri vePurogiramu 9 OS uye Go programming mutauro, akashoropodza kunyanya kutarisisa kune yakatsanangurwa nzira yekurwisa, iyo yagara ichizivikanwa (Go, Rust, C ++, Ruby) uye haina kutorwa zvakanyanya. . Sekureva kwaCox, dambudziko rinonyanya kutarisana nekuratidzwa kwakaringana kweruzivo mumakodhi edhita uye mawebhusaiti, ayo anogona kugadziriswa nekushandisa maturusi akakodzera uye kodhi analyzer panguva yekuongorora. Naizvozvo, panzvimbo yekukwevera kutarisa kune zvekufungidzira kurwiswa, zvingave zvakanyanya kukodzera kutarisa pakuvandudza kodhi uye kutsamira maitiro ekuongorora.
Ras Cox anotendawo kuti ma compilers haisi iyo nzvimbo yakakodzera yekugadzirisa dambudziko, sezvo nekurambidza zviratidzo zvine njodzi padanho recompileri, kuchine danda rakakura rezvishandiso umo kushandiswa kwezviratidzo izvi kunoramba kuchigamuchirwa, senge masisitimu ekuvaka, maassemblers, mapakeji maneja uye akasiyana ekugadzirisa parsers uye data. Semuenzaniso, purojekiti yeRust inopiwa, iyo yakarambidza kushandiswa kwekodhi yeLTR / RTL mumugadziri, asi haina kuwedzera kugadzirisa kuCargo package manager, iyo inobvumira kurwisa kwakafanana kuburikidza neCargo.toml file. Saizvozvo, mafaira akadai seBUILD.bazel, CMakefile, Cargo.toml, Dockerfile, GNUmakefile, Makefile, go.mod, package.json, pom.xml uye zvinodiwa.txt anogona kuva manyuko ekurwisa.
Source: opennet.ru