by Michael S. Kaplan, published on 2006/02/16 09:10 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2006/02/16/533226.aspx
Yesterday, when I posted Every character has a story #19: U+200c and U+200d (ZERO WIDTH [NON] JOINER), I got an interesting comment from Yosuke HASEGAWA:
Using ZERO WIDTH (NON) JOINER or ZWNBSP(BOM) to filename or registory key and values, you can create several files that appearance is the same name.
This may cause visual problems in security domain. So I hope to disable using Unicode control characters for filename in Windows.
Of course, Bidi control characters such as "RLO" too.
Anyone who feels that way really needs to look at the two Unicode Technical Reports I mentioned:
It is not merely a matter of invalidating some characters, as these UTRs make perfectly clear....
Add to that the legacy issue and the whole Uppercase and Binary world of the Microsoft Windows namespace and you are left with a very difficult problem -- one that is not really solved by disallowing a few characters since security problems on a local machine are not generally caused by confusable characters!
And that gets even more complicated when there are core strings that need to be used which, if they were not allowed would cause significant linguistic and political issues (as I pointed out yesterday).
Now with that said:
So nobody is ignoring the fact that there is a problem here, a problem that must not be ignored.
But nobody in Microsoft is planning on making a few cosmetic changes and calling themselves secure afterward, either. If you know what I mean....
This post brought to you by "ɢ" (U+0262, LATIN LETTER SMALL CAPITAL G)
referenced by
2006/03/05 Will I C U at the IUC?