Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn on bidirectional Unicode text (CVE-2021-42574) #17514

Closed
0xC0ncord opened this issue Nov 1, 2021 · 2 comments · Fixed by #17562
Closed

Warn on bidirectional Unicode text (CVE-2021-42574) #17514

0xC0ncord opened this issue Nov 1, 2021 · 2 comments · Fixed by #17562
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Comments

@0xC0ncord
Copy link

Feature Description

After the public disclosure of CVE-2021-42574, Github now displays a warning when a file's contents include bidirectional Unicode text in order to mitigate the effects of the flaw.

It would be nice if Gitea could implement similar functionality.

Screenshots

No response
@lunny lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 2, 2021
@amber-ailuridae
Copy link

This is a big deal for development teams looking to mitigate risk related to CVE-2021-42574. Proper code review is considerably harder without a feature like this in place.

@bagasme
Copy link
Contributor

bagasme commented Nov 4, 2021

For the wording of warning message, I suggest:

This file contains hidden Unicode characters that may be processed differently from what appears below.
If your use case is intentional and legitimate, you can safely ignore this warning. Consult documentation
of your favorite text editor for how to open this file using `DOS (CP 437)` encoding instead of Unicode,
to reveal hidden characters.

zeripath added a commit to zeripath/gitea that referenced this issue Nov 5, 2021
@zeripath
Add warning for BIDI characters in page renders and in diffs
dca05ee 
Fix go-gitea#17514

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this issue Nov 5, 2021
Merged
6543 pushed a commit that referenced this issue Jan 7, 2022
@zeripath @gwymor
@silverwind @wxiaoguang
Add warning for BIDI characters in page renders and in diffs (#17562)
21ed4fd 
Fix #17514

Given the comments I've adjusted this somewhat. The numbers of characters detected are increased and include things like the use of U+300 to make à instead of à and non-breaking spaces.

There is a button which can be used to escape the content to show it.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Gwyneth Morgan <gwymor@tilde.club>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Chianina pushed a commit to Chianina/gitea that referenced this issue Mar 28, 2022
@zeripath @gwymor
@silverwind @wxiaoguang
Add warning for BIDI characters in page renders and in diffs (go-gite…
2703dff 
…a#17562)

Fix go-gitea#17514

Given the comments I've adjusted this somewhat. The numbers of characters detected are increased and include things like the use of U+300 to make à instead of à and non-breaking spaces.

There is a button which can be used to escape the content to show it.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Gwyneth Morgan <gwymor@tilde.club>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add warning for BIDI characters in page renders and in diffs zeripath/gitea
4 participants
@lunny @0xC0ncord @amber-ailuridae @bagasme