On Wed, Aug 26, 2009 at 1:13 PM, John Harrop<jharrop...@gmail.com> wrote: > This is important to know about for security reasons, also. Specifically, if > you are receiving Clojure data structures in text form over the network, and > don't set *read-eval* to false, you're vulnerable to a "Clojure injection > attack". Someone could send you "(+ 5 #=(System/exit 0))" as a > denial-of-service attack, just for starters.
> I doubt there's a way to make it safe. There's probably no way to force > those expressions to run in an applet sanbox, at least without massive > kludging. I'm pretty sure clojurebot in the #clojure channel does exactly this kind of sandboxing for both read and eval. --Chouser --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
