Bug 238630

Summary: [Bugzilla] Code reviews show non-ASCII characters in patches as garbage
Product: WebKit Reporter: Myles C. Maxfield <mmaxfield>
Component: New BugsAssignee: Myles C. Maxfield <mmaxfield>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, darin, mitz, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=75394
https://bugs.webkit.org/show_bug.cgi?id=45760
Attachments:
Description Flags
Patch
none
Patch darin: review+

Description Myles C. Maxfield 2022-03-31 13:35:59 PDT 
[Bugzilla] Code reviews show non-ASCII characters in patches as garbage
Comment 1 Myles C. Maxfield 2022-03-31 13:37:48 PDT 
Created attachment 456274 [details]
Patch
Comment 2 Myles C. Maxfield 2022-03-31 13:38:18 PDT 
Created attachment 456275 [details]
Patch
Comment 3 Myles C. Maxfield 2022-03-31 13:43:20 PDT 
Committed r292170 (249077@trunk): <https://commits.webkit.org/249077@trunk>
Comment 4 Radar WebKit Bug Importer 2022-03-31 13:44:16 PDT 
<rdar://problem/91123203>
Comment 5 mitz 2022-03-31 14:01:42 PDT 
Is this a duplicate of bug 75394?
Comment 6 Alexey Proskuryakov 2022-03-31 19:42:21 PDT 
I just realized that there is a downside to this change. Now our review page no longer serves as a defense against attacks like https://trojansource.codes.

This seems fairly serious, perhaps we should undo it?
Comment 7 Myles C. Maxfield 2022-03-31 21:26:31 PDT 
If we (the WebKit team) decide that we do need to take additional actions here (a conclusion which I don’t think is foregone), the action shouldn’t be to revert this patch thereby relying on accidental behavior. If we want to show certain characters as visible, we should do so by intentionally writing code to do it. If we do want a mitigation, we can surely find a middle ground where some Unicode characters are replaced but others aren’t.
Comment 8 Myles C. Maxfield 2022-03-31 21:31:25 PDT 
(In reply to mitz from comment #5)
> Is this a duplicate of bug 75394?

It looks to me like “yes” but if that bug is still reproducing then maybe not?
Comment 9 Alexey Proskuryakov 2022-03-31 21:54:35 PDT 
It doesn't seem worth the effort to develop any non-trivial mitigations, as pretty soon patch review will be on GitHub. But while it's here, it seems not great to create security risk.
Comment 10 Myles C. Maxfield 2022-04-01 10:28:08 PDT 
*** Bug 75394 has been marked as a duplicate of this bug. ***
Comment 11 Myles C. Maxfield 2022-04-01 10:48:20 PDT 
Does GitHub code review have mitigations for Trojan Source?
Comment 12 Myles C. Maxfield 2022-04-01 10:50:49 PDT 
Looks like GitHub displays a message, e.g https://github.com/nickboucher/trojan-source/blob/eaca01d01bfd588d805fbc711c39a1b3679ac484/Python/commenting-out.py