On Wed, May 9, 2012 at 6:01 PM, Rostislav Svoboda <rostislav.svob...@gmail.com> wrote: > I think the topic 'code injection vulnerability' is never out of date > especially if you treat data as a code. > Unfortunately googling for - clojure code injection vulnerability - > returns 'nil'. > > Any ideas? Comments? Opinions?
The problem will only occur if the reader is made to evaluate some code while reading. Currently this is possible using the #= reader macro. For example - user> (read-string "#=(eval (def x 3))") ;;=> #'user/x This potentially dangerous feature can be turned off by binding the *read-eval* var to false before reading the string. For example - user> (binding [*read-eval* false] (read-string "#=(eval (def x 3))")) ;;=> ; Evaluation aborted. Hope this helps. Regards, BG -- Baishampayan Ghose b.ghose at gmail.com -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
