Directionality controls for malicious code
eliz at gnu.org
Thu Dec 2 12:31:28 CST 2021
> Date: Thu, 2 Dec 2021 16:19:12 +0100
> From: Daniel Bünzli <daniel.buenzli at erratique.ch>
> Cc: unicode at corp.unicode.org
> I'm not familiar enough with the bidi algorithm but for example it seems that unbounded RLO or RLI in a span should be forbidden unless they are properly balanced with a matching PDI or PDF
The UBA mandates that all embeddings end at paragraph end, i.e. at a
newline. So unterminated embeddings and isolates behave exactly as
terminated ones do, and requiring the embeddings and isolates to be
properly terminated will only catch sloppy malicious tinkering with
these controls, it won't catch the non-sloppy ones.
> But I'm sure the problem is much more complex than that and I'd be curious if people in the know of the algorithm have an idea on how to go about it.
I did have some ideas, and implemented detection of suspicious
reordering for Emacs.
More information about the Unicode