Security concerns: OGHAM SPACE MARK

David Starner prosfilaes at
Tue Jul 21 05:45:40 CDT 2015

On Tue, Jul 21, 2015 at 2:14 AM Dreiheller, Albrecht <
albrecht.dreiheller at> wrote:

> If the author really intends to deceive potential readers he will succeed.

Possibly. Code is hard. But the Ogham space is not a real threat; it's easy
to search for and obviously a deliberate attempt to confuse.

> Programming languages like JS should at least implement exclusion rules
> from the "Unicode Confusables Characters" list.

Have you looked at that list? 1 and l is one pair of confusables in that
list, and while that is an incredibly classic confusable pair, it's not one
that's implementable in a programming language. а and a is another pair;
but if you ban а, you've practically banned Cyrillic identifiers completely.

> Otherwise such programming languages ought to be black-listed.

Black-listed? By whom? If you wish to make sure a set of code you control
does not use non-ASCII characters, most source-control systems.will let you
reject such files from being checked in. If you want to reject JavaScript
altogether, that is also your freedom. But of all the attacks weighed
against JavaScript, I seriously doubt that this is the one that will bring
it down.

As note for confusable code, let me point out this code that someone tried
to illicitly push into the Linux CVS back in 2003:

    if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
                     retval = -EINVAL;

the all-ASCII trick being that current->uid is being set to zero, not
checked. It would be much easier to find any sort of Unicode trick then a
backdoor like that in a sufficiently large body of code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unicode mailing list