#include #include #include #include #include // most modern text editors will show you the invisible characters in this file // because this file demonstrates a very real security vulnerability // In vscode you can disable this by adding the following to your settings.json // "editor.renderWhitespace": "none", // "editor.unicodeHighlight.ambiguousCharacters": false, // "editor.unicodeHighlight.invisibleCharacters": false, // "editor.unicodeHighlight.nonBasicASCII": false, // "editor.renderControlCharacters": false, // But you should immediately re-enable it after you have finished reading this file bool strings_are_equal(char *s1, char *s2) { printf("Comparing \"%s\" and \"%s\"\n", s1, s2); return strcmp(s1, s2) == 0; } int main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s \n", argv[0]); printf("Access levels:\n"); printf("0: user, 1: admin\n"); return 1; } char *access_levels[] = {"user", "admin"}; int selected_access_level = atoi(argv[1]); char *current_access_level = access_levels[selected_access_level]; printf("Current access level: %s\n", current_access_level); // with invisible characters not visible // this next line will likely look like: // if (!strings_are_equal(current_access_level, "user")) // Check if admin // But that's not actully what it is // the real code is: // if (!strings_are_equal(current_access_level, "user // Check if admin")) // The invisible characters here are the left-to-right mark (U+200E) and the left-to-right embedding (U+202A) // These characters tell the text editor to render the text in a forced direction // Instead of the normal direction of the text (left-to-right in the western world, right-to-left in the arabic world) // Forcing the text to be rendered in a different direction is a common way to make text appear to be something it is not // Like in tis case where what looks like a comment is actually part of the string if (!strings_are_equal(current_access_level, "user‮ ⁦// Check if admin⁩ ⁦")) { printf("Hello admin.\n"); } return 0; }