On Wed, Aug 26, 2009 at 1:13 PM, John Harrop <[email protected]> wrote:
> This is important to know about for security reasons, also. Specifically, > if you are receiving Clojure data structures in text form over the network, > and don't set *read-eval* to false, you're vulnerable to a "Clojure > injection attack". Someone could send you "(+ 5 #=(System/exit 0))" as a > denial-of-service attack, just for starters. > Interesting result from testing this: user=> (read-string "(System/exit 0)") (System/exit 0) user=> (read-string "#=(System/exit 0)") ClassNotFoundException: System user=> (read-string "#=(java.lang.System/exit 0)") REPL is disconnected. Strange that java.lang is not apparently imported in whatever environment the EvalReader uses. Doesn't stop it being a security hole if accessible over the network though. :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
