[reportlab-users] Python files and ascii

Claude Paroz claude at 2xlibre.net
Mon Feb 21 06:27:58 EST 2022 

Hi Robin, Peter,

Thanks for the threatpost link. Indeed a good think to be aware of. I'ts 
just a bit sad that once again, hackers are winning in a sense :-(

I like the proposal of Peter, alowing unicode for test files. Because 
Unicode is rather useful in tests. Typically, it's just more friendly to 
write:

para = Paragraph("Viele Grüße")

than

para = Paragraph(b'Viele Gr\xc3\xbc\xc3\x9fe'.decode('utf-8'))

Claude

Le 21.02.22 à 12:02, Peter Cock a écrit :
> That's a good point Robin, something I'll keep in mind for other Python 
> projects.
> Generally it has only been people's names where I/we have needed this 
> (things
> like contributor listings or references in comments/docstrings).
> 
> Would it be a helpful compromise to allow unicode Python files for the 
> tests only?
> 
> Peter
> 
> On Mon, Feb 21, 2022 at 10:51 AM Robin Becker <robin at reportlab.com 
> <mailto:robin at reportlab.com>> wrote:
> 
>     Hi Claude,
> 
>     I am a bit unsure about this patch. I accept the unique test is
>     probably not required, but I don't think we should
>     remove the test for all reportlab python files being in ascii.
> 
>     There has been a lot of interest recently in the possibility of
>     using unicode to do malware hackery eg by smuggling in
>     code which appears reasonable, but is in fact different and hidden
>     by use of homoglyphs see eg
> 
>     https://threatpost.com/trojan-source-invisible-bugs-source-code/175891/
>     <https://threatpost.com/trojan-source-invisible-bugs-source-code/175891/>
> 
>     The ReportLab code base has at least until now been almost entirely
>     in English with some American spellings eg color
>     instead of colour, and there are a small number of foreign language
>     texts (mostly in the tests folder).
> 
>     I suppose the implication of removing the test would be that some of
>     the reportlab code could use variables strings etc
>     with non-ascii characters. Can you give examples where that would be
>     beneficial.
> 
>     What do others think?
> 
>     I'm not entirely sure about the security problems with homoglyphs,
>     but they have to be a consideration with open source
>     projects where we have a fairly open patching policy.
> 
>     On 18/02/2022 22:45, Claude Paroz wrote:
>      > Hi all,
>      >
>      > Here's a new patch that stop testing for ReportLab Python files
>     being ASCII-only. On Python 3, we can safely include
>      > Unicode chars in Python files.
>      >
>      > Claude
>     ..........
>     -- 
>     Robin Becker

More information about the reportlab-users mailing list