Here’s a somewhat contrived “attack”: I write a crate with two functions that ar... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		saagarjha on June 8, 2019 \| parent \| context \| favorite \| on: Rust, Macros, λ-calculus/Church numerals, oh my Here’s a somewhat contrived “attack”: I write a crate with two functions that are named similarly, wait for you to integrate it, then file a pull request using the Unicode function name (and hence calling the malicious function) and be relatively assured that if you looked up the function you’d stop reading code at the ASCII one.

fluffything on June 8, 2019 [–]

The code published on crates.io does not need to match the code in your github repository, so... you don't need unicode homographs to do this kind of attack.

Also, homographs currently produce a warning...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact