Abaphandi abavela kwiYunivesithi yaseCambridge bapapashe indlela yokufaka ngokuthe cwaka ikhowudi ekhohlakeleyo kwikhowudi yomthombo ephononongwe ngoontanga. Indlela yokuhlaselwa elungiselelwe (i-CVE-2021-42574) inikezelwa phantsi kwegama elithi Umthombo weTrojan kwaye isekelwe ekubunjweni kombhalo obukeka ngokwahlukileyo kumqambi / umtoliki kunye nomntu ojonga ikhowudi. Imizekelo yendlela ibonakaliswe kubaqulunqi abahlukeneyo kunye neetoliki ezinikezelweyo kwi-C, C ++ (gcc kunye ne-clang), i-C #, i-JavaScript (i-Node.js), i-Java (i-OpenJDK 16), i-Rust, i-Go kunye ne-Python.
Indlela isekelwe ekusetyenzisweni kweempawu ezikhethekileyo ze-Unicode kwiikhowudi zekhowudi ezitshintsha umyalelo wokubonisa isicatshulwa se-bidirectional. Ngoncedo lwabalinganiswa bolawulo olunjalo, ezinye iinxalenye zesicatshulwa zinokuboniswa ukusuka kwesobunxele ukuya ekunene, ngelixa ezinye - ukusuka ekunene ukuya kwesobunxele. Kwinkqubo yemihla ngemihla, oonobumba bolawulo olunjalo banokusetyenziswa, ngokomzekelo, ukufaka imigca yekhowudi ngesiHebhere okanye yesiArabhu kwifayile. Kodwa ukuba udibanisa imigca enezalathiso zeteksti ezahlukeneyo kumgca omnye, usebenzisa oonobumba abakhankanyiweyo, iziqendu zombhalo oboniswe ukusuka ekunene ukuya ekhohlo zinokugqithana ngokubhaliweyo okuqhelekileyo okukhoyo okuboniswa ukusuka ekhohlo ukuya ekunene.
Usebenzisa le ndlela, unokongeza ulwakhiwo olukhohlakeleyo kwikhowudi, kodwa ke wenze isicatshulwa ngolu lwakhiwo lungabonakali xa ujonga ikhowudi, ngokongeza kule nkcazo ilandelayo okanye ngaphakathi kwabalinganiswa bokwenyani ababoniswe ukusuka ekunene ukuya kwesobunxele, okuya kukhokelela ngokupheleleyo. iimpawu ezahlukeneyo ezibekwe ngaphezulu kufakelo olunonya. Ikhowudi enjalo iya kuhlala ichanekile ngokwesemantiki, kodwa iya kutolikwa kwaye iboniswe ngokwahlukileyo.
Ngelixa uphonononga ikhowudi, umphuhlisi uya kujongana nomyalelo obonakalayo wabalinganiswa kwaye uya kubona inkcazo engakrokrelekiyo kumhleli wombhalo wanamhlanje, ujongano lwewebhu okanye i-IDE, kodwa umqambi kunye nomtoliki uya kusebenzisa ulandelelwano olunengqiqo lwabalinganiswa kwaye baya kusebenzisa ingqiqo. qhubekisa ufakelo olukhohlakeleyo njengoko lunjalo, ngaphandle kokunikela ingqalelo kwisicatshulwa esiphindwe kabini kumagqabantshintshi. Ingxaki ichaphazela abahleli beekhowudi ezahlukeneyo (VS Code, Emacs, Atom), kunye nojongano lwekhowudi yokujonga kwiindawo zokugcina (GitHub, Gitlab, BitBucket kunye nazo zonke iimveliso ze-Atlassian).
Kukho iindlela ezininzi zokusebenzisa indlela yokuphumeza izenzo ezinobungozi: ukongeza inkcazo efihliweyo "yokubuyisela", ekhokelela ekugqityweni komsebenzi ngaphambi kwexesha; ukuphawula amabinzana adla ngokubonakala njengabakhi abasebenzayo (umzekelo, ukuvala iitshekhi ezibalulekileyo); Ukwabela amanye amaxabiso omtya akhokelela kukusilela kokuqinisekiswa komtya.
Umzekelo, umhlaseli angacebisa utshintsho olubandakanya umgca: ukuba ufikelelo_level != "umsebenzisi{U+202E} {U+2066}// Jonga ukuba umlawuli{U+2069} {U+2066}" {
eya kuboniswa kujongano lophononongo ngokungathi access_level != "umsebenzisi" {// Khangela ukuba umlawuli
Ukongeza, kuye kwacetywa olunye uhlaselo (i-CVE-2021-42694), ehambelana nokusetyenziswa kwee-homoglyphs, iimpawu ezifanayo ngenkangeleko, kodwa zahluke ngentsingiselo kwaye zineekhowudi ezahlukeneyo ze-Unicode (umzekelo, umlingiswa "Ι" ufana " aβ, βΙ‘β - βgβ, βΙ©β - βlβ). Oonobumba abafanayo banokusetyenziswa kwezinye iilwimi kumagama emisebenzi kunye neziguquguqukayo ukulahlekisa abaphuhlisi. Umzekelo, imisebenzi emibini enamagama angabonakaliyo inokuchazwa eyenza izenzo ezahlukeneyo. Ngaphandle kohlalutyo oluneenkcukacha, akucaci ngokukhawuleza ukuba yeyiphi le misebenzi mibini ebizwa kwindawo ethile.
Njengomlinganiselo wokhuseleko, kuyacetyiswa ukuba abaqulunqi, abatoliki, kunye nezixhobo zokuhlanganisa ezixhasa abalinganiswa be-Unicode babonise impazamo okanye isilumkiso ukuba kukho iimpawu zolawulo ezingahambelaniyo kwizimvo, kwimitya yoqobo, okanye izichazi ezitshintsha indlela yokuphuma (U+202A, U+202B, U +202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C,U+200E kunye no-U+200F). Oonobumba abanjalo kufuneka bathintelwe ngokucacileyo kwiinkcukacha zolwimi lwenkqubo kwaye kufuneka bahlonitshwe kubahleli bekhowudi kunye nojongano lovimba.
IsiHlomelo 1: Izibhambathiso zokuba sesichengeni zilungiselelwe i-GCC, i-LLVM/Clang, iRust, iGo, iPython kunye neebhinuthi. I-GitHub, i-Bitbucket kunye ne-Jira nayo yawulungisa umcimbi. Ulungiso lweGitLab luyaqhubeka. Ukuchonga ikhowudi eyingxaki, kuyacetyiswa ukuba usebenzise umyalelo: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069/' umthombo
Isihlomelo 2: URuss Cox, omnye wabaphuhlisi bePlani ye-9 ye-OS kunye nolwimi lweprogram ye-Go, wagxeka ingqalelo egqithisileyo kwindlela yokuhlaselwa echazwe, eyaziwayo ixesha elide (Hamba, iRust, C ++, Ruby) kwaye ayizange ithathwe ngokungathΓ sina. . Ngokutsho kweCox, ingxaki ikakhulu ichaphazela ukubonakaliswa ngokuchanekileyo kolwazi kubahleli bekhowudi kunye ne-interfaces yewebhu, enokusombululwa ngokusebenzisa izixhobo ezichanekileyo kunye nabahlalutyi bekhowudi ngexesha lokuphononongwa. Ngoko ke, endaweni yokutsala ingqalelo ekuhlaselweni okucingelwayo, kuya kufaneleka ngakumbi ukugxila ekuphuculeni ikhowudi kunye neenkqubo zokuphonononga ukuxhomekeka.
URas Cox ukholelwa kwakhona ukuba abaqulunqi abayona indawo efanelekileyo yokulungisa ingxaki, ekubeni ngokuvalwa kweempawu ezinobungozi kwinqanaba lomqambi, kukho uluhlu olukhulu lwezixhobo apho ukusetyenziswa kwezi mpawu kuhlala kwamkelekile, njengeenkqubo zokwakha, abahlanganisi, abaphathi bephakheji kunye nabahlalutyi boqwalaselo abahlukeneyo kunye nedatha. Ngokomzekelo, iprojekthi ye-Rust inikwe, eyayinqande ukuqhutyelwa kwekhowudi ye-LTR / RTL kwi-compiler, kodwa ayizange yongeze ukulungiswa kumphathi wephakheji yeCargo, evumela ukuhlaselwa okufanayo ngefayile yeCargo.toml. Ngokufanayo, iifayile ezifana ne-BUILD.bazel, i-CMakefile, i-Cargo.toml, i-Dockerfile, i-GNUmakefile, i-Makefile, i-go.mod, i-package.json, i-pom.xml kunye neemfuno.txt ingaba yimithombo yokuhlaselwa.
umthombo: opennet.ru