You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The random insertion of empty unicode characters was a very simple (in a good way) implementation of obfuscation but had a few downsides. Most importantly was that it broke syntax highlighting in Discord, this can be very useful to properly understand the code sent. Another downside was that some outright reported that it didn't work, most likely because their operating system didn't copy the unicode characters.
This is on hold until #5 (and potentially #8) has been completed.
Description
According to the recently (I say recently, although it was months ago) acknowledged unicode-related CVE report there are a number of confusing unicode behaviour we can take advantage of. In response to the CVE report there was a PEP released for Python-specific knowledge surrounding it, available as PEP 672. It brings up the following:
Control characters: Using NUL and BS (Backspace) to cause Python to stop reading input or the editor to remove particular characters.
Confusable characters: Mixing Cyrillic, Greek and Latin characters that look the same, but is read differently by Python.
Bidirectional text and marks: Using Arabic or Hebrew characters to cause text to be rendered right-to-left or simply using the control characters directly.
Unicode codepoints vs. characters: Python strings use unicode codepoints, but different codepoints may produce/render the same character.
These are all things we can look into and consider. A first step could be figuring out how to restrict the hidden zero-space unicode characters from being placed next to keywords.
Additional resources
Similiar unicode technical reports (tr36 and tr39)
The text was updated successfully, but these errors were encountered:
Summary
The random insertion of empty unicode characters was a very simple (in a good way) implementation of obfuscation but had a few downsides. Most importantly was that it broke syntax highlighting in Discord, this can be very useful to properly understand the code sent. Another downside was that some outright reported that it didn't work, most likely because their operating system didn't copy the unicode characters.
This is on hold until #5 (and potentially #8) has been completed.
Description
According to the recently (I say recently, although it was months ago) acknowledged unicode-related CVE report there are a number of confusing unicode behaviour we can take advantage of. In response to the CVE report there was a PEP released for Python-specific knowledge surrounding it, available as PEP 672. It brings up the following:
These are all things we can look into and consider. A first step could be figuring out how to restrict the hidden zero-space unicode characters from being placed next to keywords.
Additional resources
The text was updated successfully, but these errors were encountered: