Le lun. 1 nov. 2021 à 22:51, Jérémy Lal <kapo...@melix.org> a écrit :
> > > Le lun. 1 nov. 2021 à 22:29, Felix Lechner <felix.lech...@lease-up.com> a > écrit : > >> Hi, >> >> On Mon, Nov 1, 2021 at 2:21 PM Jérémy Lal <kapo...@melix.org> wrote: >> > >> > grep -r >> $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069]' >> >> Does that cover both conditions? >> > > It seems from the paper at > https://trojansource.codes/trojan-source.pdf > and the list given also at > https://www.unicode.org/reports/tr9/tr9-42.html > that those nine characters are the ones that should be checked. > > There is a risk that it will be slow, by the way—but I generally favor >> doing things right, so no problem here. >> > > Maybe debian security team has already something in mind, or has a better > understanding of this > CVE-2021-42574 and CVE-2021-42694 issue. > Update: the python script i linked at the start of the conversion is now available at https://github.com/siddhesh/find-unicode-control i'm not sure it's worth packaging it - using grep looks somewhat simpler. Jérémy >
