FHIR Chat · Unicode Characters · Security and Privacy

Stream: Security and Privacy

Topic: Unicode Characters

view this post on Zulip Grahame Grieve (Nov 02 2021 at 00:29):

https://www.schneier.com/blog/archives/2021/11/hiding-vulnerabilities-in-source-code.html

This affects any parsed text. I'm going to make the validator create a warning any time it sees one of these characters in a resource, and there'll be an option to make it an error

view this post on Zulip Josh Mandel (Nov 02 2021 at 03:20):

Can you throw these checks into my operating system clipboard and third-party clipboard manager as well? :-)

(Seriously this vuln is a diabolical delight -- awards clever angrams.)

view this post on Zulip Grahame Grieve (Nov 02 2021 at 06:40):

should I worry about unicode control characters in xml and json whitespace?

view this post on Zulip Grahame Grieve (Nov 02 2021 at 06:42):

https://twitter.com/GrahameGrieve/status/1455425097511038980

view this post on Zulip Grahame Grieve (Nov 02 2021 at 06:48):

https://github.com/hapifhir/org.hl7.fhir.core/compare/gg-202110-CVE-2021-42574?expand=1 (and https://confluence.hl7.org/display/FHIR/Using+the+FHIR+Validator#UsingtheFHIRValidator-UnicodeControlChars)

view this post on Zulip John Moehrke (Nov 02 2021 at 15:07):

and this is why I use punch-cards for all my editing.

view this post on Zulip David Pyke (Nov 02 2021 at 15:12):

I converted my windows desktop to use EBCDIC. 6 bits is all we'll ever need.

view this post on Zulip John Moehrke (Nov 02 2021 at 15:39):

to be clear, this vulnerability has more about the code editors / viewers that humans use. The compilers are treating the source file as a stream of bytes. It is unfortunate that this is characterized as a bug in code files.

view this post on Zulip John Moehrke (Nov 02 2021 at 15:40):

I fail to understand why this is such a shock. Back in the terminal days it was common to use the backspace character to overwrite characters, this was often how a spinner was shown on a terminal screen.

view this post on Zulip John Moehrke (Nov 02 2021 at 15:40):

not to say that it should not be added as rules to github/gitlab code inspection, with a warning "do you really want this?".

view this post on Zulip David Pyke (Nov 02 2021 at 15:41):

HAving to worry about sanitizing character streams is so 1990s. it should be automatic now

view this post on Zulip John Moehrke (Nov 02 2021 at 15:41):

well, we use to only have two baskspace characters... uncode gives us so much more flexibility

view this post on Zulip John Moehrke (Nov 02 2021 at 15:43):

it is those ^G that are so much more annoying well all know when someone on an HL7 zoom is doing a FHIR core build

view this post on Zulip John Moehrke (Nov 02 2021 at 16:08):

From the Krebs article. I very much loved this quote

“It is already hard for humans to tell ‘this is OK’ from ‘this is evil’ in source code,” Weaver

view this post on Zulip Mohammad Jafari (Nov 19 2021 at 16:18):

I knew it was a bad idea to allow emojis in variable names.

view this post on Zulip David Pyke (Nov 19 2021 at 16:19):

IF you do that in interop code, just set the evil bit on send and people can take appropriate precuations.

view this post on Zulip David Pyke (Nov 19 2021 at 16:19):

https://datatracker.ietf.org/doc/html/rfc3514

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -