#2293 Right to left text and security

[Ale Vesely]

Trojan Source reported source code attacks, including commenting out using RTL like so:

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /*‮ } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only ‮ { ⁦*/
    return 0;
}

The appearance of that code in Geany is shown in bug 2981.

I don't know Geany code. A developers says this issue —even a decision to postpone a complete solution and provide just a quick patch to avoid the worst— should be coordinated with Scintilla.

[Neil Hodgson]

I'm not sure there is a need to do anything. This is similar to homograph spoofing attacks.

Directional overrides are a valid Unicode feature needed to show text in accordance with the author's intent. Scintilla should follow directional overrides in situations where they currently aren't being followed.

If you want to show (and disrupt) directional overrides, then assign them representations:
https://www.scintilla.org/ScintillaDoc.html#CharacterRepresentations

With SciTE, for example, set:

representations=\u202E=RLO,\u2066=LRI,\u2067=RLI,\u2069=PDI

The file will then appear as:

[Neil Hodgson]

Rejecting this bug report as Scintilla is behaving correctly.

[Ale Vesely]

Thank you, Neil