On Wednesday, May 9, 2012 9:35:57 AM UTC-4, Tassilo Horn wrote:
I don't think code-as-data contributes to code injection vulnerability,
neither positively nor negatively. Simply don't `eval` code/data from
sources you don't trust.
I think it does contribute through the reader. If you are using
Clojure sexps as your data format, and are calling `read' or
`read-string', you have an opening for code injection.
Calling
(binding [*read-eval* false]
(read-string x))
is clunky, and it's really easy to forget to bind `*read-eval*' to
false.
I feel like `*read-eval*' should default to false, and you should have
to explicitly bind it to true. Either that, or there should be 'safe'
versions of `read' and `read-string' that bind it to false for you.
-Walter
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
