The browser catches homograph attacks, the terminal doesn't

I would rather check urls with the following method:

  echo -e -n "https://іnstall.example-clі.dev" | python -c 'exec("""import sys, unicodedata\nfor ch in sys.stdin.read():\n  try:\n    print (ch, " ", unicodedata.name(ch))\n  except ValueError:\n    print ("codepoint ", ord(ch))\n""")'

I use non-Unicode terminal mode (I might prefer to use a terminal emulator that does not support Unicode but you can add fonts for arbitrary character sets (of your choice, so that none are forced) instead) and program the browser to always display URLs as ASCII. So, when I copy the text to the terminal, I get "#" in place of the Cyrillic alphabets.

I think making IDN work the way it does was a mistake. I thought of making IDN with a character set specific for that use (I did think about how it would work) instead of using Unicode or any other existing character sets (none of them are suitable, as far as I am concerned; however, this new IDN character set would potentially be suitable for some other uses such as perhaps package names). Using one character set for everything is not very good, and Unicode is especially bad for this. (Although in my opinion, TRON code is generally better than Unicode, neither TRON code nor Unicode is the one to use for this)

However, there are other problems with paste in the terminal window, but bracketed paste mode can mitigate some of these problems in some cases, it is not entirely helpful.

If you're copying curl|sh from webpages you're already not paying attention and domain doesn't matter

My terminal "warns" about them thanks to using a bitmap font that has no (significant?) Unicode coverage beyond code points 0 to 255.

The word tirith means guard (or watch) in Sindarin, one of Tolkien's languages from Lord of the Rings. See also Minas Tirith! I really enjoy this utility's name.

Weird that just 3 days ago https://github.com/makalin/preexec was released with almost exactly the same functionality written in Go.

My terminal is set to CP437 and uses a font incapable of rendering anything else.

Then again, I don't blindly pipe directly from the network into the shell either.

Amusing that the chosen illustrative homograph is "i" and tirith has two...

Handy! I feel like this should be built into the terminal emulator though?

This is an incredible tool.

As a child in the 1980s we'd go for long walks in the woods. One time a friend brought a pair of 30 inch bolt cutters with him, you know, as a personality extension. And of course, there was some dubious reason to use them, and he was a hero for being over-provisioned.

A solution like this is those bolt cutters - I can admire it, but the odds I'm out on a walk with it, is very, very low.

Now if you work in a bolt factory, sure, this can run on every laptop, every user account, every environment.

But I'd hope my edge firewalls are L7 scanning for cyrillic 'i' in my domains cause otherwise I'm just gonna connect and get myself hacked.

or just don't pipe random webpages into shell.

a pre exec handler for your shell gives somebody a lot of power. if this gets sufficiently popular, pwning this brew package can get one faar...

> curl -sSL https://install.example-cli.dev | bash # safe

This is not and has never been safe.