[erlang-questions] Atom Unicode Support

José Valim jose.valim@REDACTED
Wed Feb 3 18:25:55 CET 2016 

I just wanted to clarify, to avoid any confusion, this patch is mostly
about support for unicode atoms forms in the compiler. This is a required
step if you ever want to support Unicode in the language but it does not
imply such. There are three main milestones:

1. Support unicode atom forms (i.e. the form {atom, Line, Atom} can have a
UTF-8 encoded atom)
2. Support unicode atoms between single quotes (for example, 'ノクス', as you
can already write "ノクス")
3. Support unicode in the language (for example, being able to write
variables in Japanese)

This discussion was originally related to 1 but I could contribute 2 if
desired. Many of the concerns raised above are related to step 3 which,
afaik, is not planned.


*José Valim*
www.plataformatec.com.br
Skype: jv.ptec
Founder and Director of R&D

On Wed, Feb 3, 2016 at 6:00 PM, Felix Gallo <felixgallo@REDACTED> wrote:

> Oh for sure there's all sorts of hilarity in C.  Doubtless in erlang,
> too.  But the existence of other attack vectors doesn't suggest that you
> should ignore a new one.
>
> It'd probably be a good idea, if this were to be implemented, if there
> were some tooling or flags for the compiler to warn when unicode was used
> in a potentially dangerous setting, so that people taking pull requests on
> erlang code (or even just typing code wrong) could avoid some classes of
> possible exploits.
>
> On Wed, Feb 3, 2016 at 8:47 AM, Fred Hebert <mononcqc@REDACTED> wrote:
>
>> On 02/03, Felix Gallo wrote:
>>
>>> There's also an interesting security issue around Unicode source code.
>>>
>>> Take for example the recent hack of Cryptsy, which involved a guy taking
>>> what looked like an innocent and safe pull request to fix an issue in one
>>> part of his software, but through the magic of the preprocessor, turned
>>> out
>>> to do something else entirely:
>>>
>>>
>>> http://earlz.net/view/2016/01/16/0717/analyzing-the-56-million-exploit-and-cryptsys-security
>>>
>>
>> My counter-argument to that is that you don't need any of that cool UTF
>> stuff to do that.
>>
>> See:
>>
>> - http://www.underhanded-c.org/ underhanded C contest is all about
>> writing regular looking C code doing nasty stuff
>> -
>> http://arstechnica.co.uk/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/
>> juniper code was broken by someone adding in a password check that  looked
>> like a log line
>> -
>> http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/
>>  using a non-prime in crypto communication, possibly being a backdoor.
>>
>>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160203/1d594606/attachment.htm>

More information about the erlang-questions mailing list