> On Tue, Sep 22, 2009 at 6:46 PM, Eric Tschetter <eched...@gmail.com> wrote: > But, this looks like a gaping security hole. You're taking an HTTP POST > request body and eval'ing it. Someone will, sooner or later, try typing > "(delete all the secret files)" into the web form and clicking Send. Or > worse, something that will actually delete something or grant privilege. > Sending "(doall (iterate inc 1))" will crash the server with OOME after a > lengthy 100%-cpu-use hang while it fills memory with consecutive Integer > objects, for a cheap and easy DoS attack. And so forth.
Presumably the #clojure irc bot has solved or worked around many of these issues? It certainly operates in a sandbox: http://github.com/hiredman/clojurebot R. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
