Bug 238630 - [Bugzilla] Code reviews show non-ASCII characters in patches as garbage
Summary: [Bugzilla] Code reviews show non-ASCII characters in patches as garbage
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Myles C. Maxfield
URL:
Keywords: InRadar
: 75394 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-03-31 13:35 PDT by Myles C. Maxfield
Modified: 2022-04-01 10:50 PDT (History)
5 users (show)

See Also:


Attachments
Patch (1.45 KB, patch)
2022-03-31 13:37 PDT, Myles C. Maxfield
no flags Details | Formatted Diff | Diff
Patch (1.44 KB, patch)
2022-03-31 13:38 PDT, Myles C. Maxfield
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Myles C. Maxfield 2022-03-31 13:35:59 PDT
[Bugzilla] Code reviews show non-ASCII characters in patches as garbage
Comment 1 Myles C. Maxfield 2022-03-31 13:37:48 PDT
Created attachment 456274 [details]
Patch
Comment 2 Myles C. Maxfield 2022-03-31 13:38:18 PDT
Created attachment 456275 [details]
Patch
Comment 3 Myles C. Maxfield 2022-03-31 13:43:20 PDT
Committed r292170 (249077@trunk): <https://commits.webkit.org/249077@trunk>
Comment 4 Radar WebKit Bug Importer 2022-03-31 13:44:16 PDT
<rdar://problem/91123203>
Comment 5 mitz 2022-03-31 14:01:42 PDT
Is this a duplicate of bug 75394?
Comment 6 Alexey Proskuryakov 2022-03-31 19:42:21 PDT
I just realized that there is a downside to this change. Now our review page no longer serves as a defense against attacks like https://trojansource.codes.

This seems fairly serious, perhaps we should undo it?
Comment 7 Myles C. Maxfield 2022-03-31 21:26:31 PDT
If we (the WebKit team) decide that we do need to take additional actions here (a conclusion which I don’t think is foregone), the action shouldn’t be to revert this patch thereby relying on accidental behavior. If we want to show certain characters as visible, we should do so by intentionally writing code to do it. If we do want a mitigation, we can surely find a middle ground where some Unicode characters are replaced but others aren’t.
Comment 8 Myles C. Maxfield 2022-03-31 21:31:25 PDT
(In reply to mitz from comment #5)
> Is this a duplicate of bug 75394?

It looks to me like “yes” but if that bug is still reproducing then maybe not?
Comment 9 Alexey Proskuryakov 2022-03-31 21:54:35 PDT
It doesn't seem worth the effort to develop any non-trivial mitigations, as pretty soon patch review will be on GitHub. But while it's here, it seems not great to create security risk.
Comment 10 Myles C. Maxfield 2022-04-01 10:28:08 PDT
*** Bug 75394 has been marked as a duplicate of this bug. ***
Comment 11 Myles C. Maxfield 2022-04-01 10:48:20 PDT
Does GitHub code review have mitigations for Trojan Source?
Comment 12 Myles C. Maxfield 2022-04-01 10:50:49 PDT
Looks like GitHub displays a message, e.g https://github.com/nickboucher/trojan-source/blob/eaca01d01bfd588d805fbc711c39a1b3679ac484/Python/commenting-out.py