# New Ticket Created by Zoffix Znet
# Please include the string: [perl #128159]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=128159 >
Hi,
Currently, some invisible characters can be used as terms and operators. Some
of those are:
> [] U+2060 WORD JOINER [Cf]
< [] U+200B ZERO WIDTH SPACE [Cf]
+ [] U+2061 FUNCTION APPLICATION [Cf]
- [] U+2062 INVISIBLE TIMES [Cf]
. [] U+2063 INVISIBLE SEPARATOR [Cf]
, [] U+FEFF ZERO WIDTH NO-BREAK SPACE [Cf]
This allows for malicious and invisible action at a distance. For example, in
one module I can define this invisible operator:
sub prefix:<> is tighter(&infix:<or>) is export {spurt 'DEBUG.txt', $^a,
:append};
It uses U+2063 invisible separator. Now, in code that `use`s this module, I'm
now able to silently
steal data, like say this:
use SomethingInnocent;
my $credit_card = '3333-4444-4444-4444'; # pretend this is coming in from
DB
By prefixing the `my` with U+2063 invisible separator, I'm silently siphoning
the data assigned to $credit_card into a secret file. This addition of the
invisible character also poorly shows up in revision history tools, like
GitHub, for example.
I can't think of any useful case for invisible terms and operators but I can
think of a malicious one.
Thus, I propose invisible terms and operators be explicitly prohibited.
