On Wednesday, May 9, 2012 9:35:57 AM UTC-4, Tassilo Horn wrote: > I don't think code-as-data contributes to code injection vulnerability, > neither positively nor negatively. Simply don't `eval` code/data from > sources you don't trust. >
I think it does contribute through the reader. If you are using Clojure sexps as your data format, and are calling `read' or 'read-string', you have an opening for code injection. Calling (binding [*read-eval* false] (read-string x)) is clunky, and it's really easy to forget to bind *read-eval* to false. I feel like *read-eval* should default to false, and you should have to explicitly bind it to true. Either that, or there should be 'safe' versions of -Walter -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
