Zimbalwa izinsuku ezedlule Kukhishwe abacwaningi baseCambridge University ukushicilelwa kwe- indlela yokushintshanisa amakhodi ngobuqili enonya kukhodi yomthombo wohlelo lokusebenza.
Indlela yokuhlasela ilungiselele lokho Sekuvele kuhlu ngaphansi kwe-CVE-2021-42574 Iza ngaphansi kwegama elithi Umthombo weThrojani futhi isekelwe ekwakhiweni kombhalo obukeka uhlukile kumdidiyeli/umhumushi kanye nomuntu obuka ikhodi.
Mayelana nomthombo weThrojani
Indlela incike ekusebenziseni izinhlamvu ezikhethekile ze-Unicode kumazwana ekhodi, okushintsha ukuhleleka kwesibonisi kombhalo oqondiswa kabili. Ngosizo lwalezi zinhlamvu zokulawula, ezinye izingxenye zombhalo zingaboniswa ukusuka kwesobunxele kuye kwesokudla, kanti ezinye ukusuka kwesokudla kuye kwesokunxele.
Ngokwenza kwansuku zonke, lezi zinhlamvu zokulawula zingasetshenziswa, isibonelo, ukufaka izintambo zesiHeberu noma zesi-Arabhu efayeleni lekhodi. Kodwa-ke, uma usebenzisa lezi zinhlamvu ukuze uhlanganise imigqa enezikhombisi-ndlela ezihlukene zombhalo emugqeni ofanayo, iziqephu zombhalo eziboniswa ukusuka kwesokudla kuye kwesokunxele zingase zidlulele umbhalo ovamile ovele ukhona oboniswa ukusuka kwesokunxele kuye kwesokudla.
Ngalendlela, ukwakheka okunonya kunganezelwa kukhodi, kodwa bese wenza umbhalo onalokhu kwakhiwa ungabonakali lapho ubuka ikhodi, wengeza izinhlamvu eziboniswe kusukela kwesokudla kuya kwesokunxele emazwaneni alandelayo noma ngaphakathi kwezwi nezwi, okuzophumela kumphumela wezinhlamvu ezihluke ngokuphelele ezibekwe phezu kokufaka okunonya. Ikhodi enjalo isazolunga ngokwezibalo, kodwa izohunyushwa futhi iboniswe ngendlela ehlukile.
Sithole izindlela zokukhohlisa ukubhalwa kwekhodi kwamafayela ekhodi yomthombo ukuze izibukeli ezingabantu nabadidiyeli babone ukucabanga okuhlukile. Indlela eyodwa eyingozi kakhulu isebenzisa izinhlamvu ze-Unicode zokudlula ukukhombisa ikhodi njenge-anagram yomqondo wayo wangempela. Siqinisekisile ukuthi lokhu kuhlasela kusebenza ngokumelene no-C, C ++, C #, JavaScript, Java, Rust, Go, kanye nePython, futhi sisola ukuthi kuzosebenza ngokumelene nezinye izilimi eziningi zanamuhla.
Ngenkathi ubuyekeza ikhodi, unjiniyela uzobhekana nokuhleleka kokubukwa kwabalingiswa futhi uzobona amazwana asolisayo kumhleli umbhalo, isixhumi esibonakalayo sewebhu noma i-IDE, kodwa umdidiyeli notolika bazosebenzisa ukuhleleka okunengqondo kwezinhlamvu futhi baphathe ikhodi enonya njengoba kunjalo, kungakhathaliseki ukuthi umuphi umbhalo oqondiswe kabili emazwaneni. Abahleli bekhodi abaningana abadumile (i-VS Code, i-Emacs, i-Atom), kanye nezindawo zokubuka ikhodi kumakhosombe (i-GitHub, i-Gitlab, i-BitBucket, nayo yonke imikhiqizo ye-Atlassian) iyathinteka.
Kunezindlela ezimbalwa zokusebenzisa indlela yokwenza izenzo ezinonya: engeza isisho esifihliwe "ukubuyisela", okuholela ekunqanyulweni kokwenziwa komsebenzi ngaphambi kwesikhathi; isiphetho emazwaneni ezinkulumo ngokuvamile ezibhekwa njengezakha ezisebenzayo (ngokwesibonelo, ukukhubaza ukuhlola okubalulekile); Ukunikeza amanye amanani eyunithi yezinhlamvu okuholela ekuhlulekeni kokuqinisekiswa kweyunithi yezinhlamvu.
Futhi, kwahlongozwa enye inketho yokuhlasela (CVE-2021-42694), ebandakanya ukusetshenziswa kwama-homoglyphs, izimpawu ezibonakala zifana ngokubukeka, kodwa ezihlukene ngencazelo futhi ezinamakhodi ahlukene e-Unicode. Lezi zinhlamvu zingasetshenziswa kwezinye izilimi emsebenzini namagama aguquguqukayo ukudukisa onjiniyela. Isibonelo, ungachaza imisebenzi emibili ngamagama angehlukaniseki enza izenzo ezihlukene. Ngaphandle kokuhlaziya okuningiliziwe, awukwazi ukuqonda ngokushesha ukuthi yimuphi kule misebenzi emibili ebizwa endaweni ethile.
Njengendlela yokuvikela, kunconywa ukuthi kusetshenziswe kubahlanganisi, otolika namathuluzi wokuhlanganisa asekela izinhlamvu ze-Unicode, okubonisa iphutha noma isixwayiso noma ngabe kukhona izinhlamvu zokulawula ezingabhanqiwe kumazwana, iyunithi yezinhlamvu, noma izihlonzi ezishintsha indlela yokuphumayo. Lezi zinhlamvu kufanele futhi zivinjelwe ngokusobala ezicacisweni zolimi lohlelo futhi kufanele zicatshangelwe kubahleli bekhodi nezixhumi ezibonakalayo ukuze kusetshenzwe namakhosombe.
Ngaphandle kwalokho ubungozi sebuvele buqalile ukulungiswa ilungiselelwe i-GCC, i-LLVM / Clang, i-Rust, i-Go, i-Python nama-binutils. I-GitHub, i-Bitbucket ne-Jira nazo sezivele zilungiselela isisombululo kanye ne-GitLab.
Okokugcina Uma unesifiso sokwazi okwengeziwe ngakho, ungabonisana imininingwane ekulesi sixhumanisi esilandelayo.