search

unicode-rs / unicode-security

Detect possible security problems with Unicode usage according to Unicode Technical Standard #39 rules.
Other
14 stars 4 forks source link

Incorrect restriction levels for ascii strings #25

Closed sunfishcode closed 2 years ago

sunfishcode commented 2 years ago

unicode-security's RestrictionLevelDetection seems to detect an ASCII "a" as SingleScript rather than ASCIIOnly.

It also seems to detect a Cyrillic "а" as AsciiOnly rather than SingleScript.

Specifically, this program:

use unicode_security::restriction_level::RestrictionLevelDetection;

fn main() {
    for string in &[
        "\u{61}",
        "\u{430}",
    ] {
        println!("{} ({}): {:?}",
            string.escape_unicode(),
            string.escape_debug(),
            string.detect_restriction_level(),
        );
    }
}

Prints this:

\u{61} (a): SingleScript
\u{430} (а): ASCIIOnly
Manishearth commented 2 years ago

huh, that's exceedingly strange

Manishearth commented 2 years ago

https://github.com/unicode-rs/unicode-security/pull/26

fortunately rustc doesn't rely on the distinction being drawn here

Manishearth commented 2 years ago

Published as 0.0.6