Menu
▾
▴
Re: [sdcc-devel] Using libunistring in SDCC?
|
From: Philipp K. K. <pk...@sp...> - 2025-10-23 11:06:56
|
Am 23.10.25 um 10:37 schrieb Philipp Klaus Krause: > * Regarding the security implication of unicode (e.g. homoglyph > attacks); Having the normalization and the checks for valid identifiers > does help here. C23 is safer than C11 was (which AFAIK allowed more > unicode in identifiers). > But for a full solution we'd have to do more (N2932, rejected for C2y, > but WG14 wanted it as TS, which so far didn't happen), but AFAIK, > currently libraries that implement everything we'd want for security are > not that widespread (they exist, in particular libu8ident, but I don't > think many distros package them). Though, since we'll do the configure time check anyway, we could go for libu8ident instead of libunistring. That would give more security in builds that have the library. But fewer builds would have the library, since it is far less common. I guess we could link against a static libu8ident library, so there'd be no run-time dependency, at least? Philipp |
