"invisible Unicode characters" warning for no technical reason (whitespace)

[PommesSchranke]

Description

Hello gitea,

I'm a codeberg user. Lately I found, that for formfeeds ('\f’) an inappropriate warning is shown on top of the code, plus the formfeed characters are hidden behind a warning icon (see [https://codeberg.org/Foxglove/tileserver/src/branch/main/tileserver.pl]). Thus hiding the character warned of making the decision in favour of that piece of source code a lot harder.

I now learned, that codeberg is "following upstream and will never fork", plus the code that does the inappropriate warning and the information-hiding is part of gitea.

Why I consider this a bug

Although this might install some false fealing of security in the faint of heart (and/or bad informed), it will in the most part shy away those people, rendering publishing of source code on codeberg (through gitea) useless for me and, maybe others.

Imagine the emacs people would resort to host one of the oldest and most active open source projects through gitea:

••• sebastian@terra:/home/sebastian/develop/ext/emacs [master]
 ⤷ grep -lPr '\f' lisp | wc -l | xargs echo "Files with warnings: "
Files with warnings:  474

••• sebastian@terra:/home/sebastian/develop/ext/emacs [master]
 ⤷ grep -Pr '\f' lisp | wc -l | xargs echo "Icons to click: "
Icons to click:  4273

Is there a possiblity to get rid of the faulty code, or complement it with some sensible test for attack vectors?

Best wishes,

• Sebastian

Gitea Version

Current codeberg's version (as of 2023-06-05)

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

I'm a codeberg user, and was told, the warning is produced in gitea (https://codeberg.org/Codeberg/Community/issues/1030#issuecomment-929035

Database

None

[wxiaoguang]

Related to:

• Wrong unicode char reporting. #23682
• Incorrect report of ambiguous unicode characters #23149

(and maybe more)

[silverwind]

I think VSCode would also "warn" or at least highlight these, but I propose we just introduce a config option where server admins can decide which character classes to warn for - see #23682.

[PommesSchranke]

"I think VSCode would also warn..." is not in any way a technical reason. I consider the warning itself in this case buggy, since there is no reason to show it for the whitespace character: '\f', simply a formfeed.

[silverwind]

It fits the "ambigous" category, but see #23682 (comment) for my proposal that would by default not highlight ambigous characters, only bidi exploits.

[eleksir]

In my opinion this "Ambiguous thing" must have config option to disable this abusive junk entirely and on per-repo basis.
I just don't care about it - i'm the only one user of my instance of gitea and don't care about this overhyped pseudo-security hypothetical nano-risk of something that security-a-like-fanboys think can be dangerous for them (because of their incompetence).

Please make an option in config to disable this crippled function for whole instance of gitea and setting to enable/disable this ambi-crap (to allow paranoids feel pseudo-safeness).

[PommesSchranke]

Yes! There is nothing "ambiguous" about a formfeed anyway. Computing is not about ambiguity. Either there we find a char introducing some attack vector, or we do not. Formfeed does not. So there is nothing to warn about it => it's a bug!

[silverwind]

#23682 has some suggestions for a fix, let's move the discussion there, we don't need two issues open for it.