Walter Tetzner <robot.ninja.saus...@gmail.com> writes: > On Wednesday, May 9, 2012 9:35:57 AM UTC-4, Tassilo Horn wrote: > >> I don't think code-as-data contributes to code injection >> vulnerability, neither positively nor negatively. Simply don't >> `eval` code/data from sources you don't trust. > > I think it does contribute through the reader. If you are using > Clojure sexps as your data format, and are calling `read' or > 'read-string', you have an opening for code injection.
Ah, right, I've forgotten about the #=() syntax. But if you `print` and `read` your data to/from files/databases/whatever and there's a #=(explode-system) in it, then your system has been compromised already and you have a problem anyway. > Calling > > (binding [*read-eval* false] > (read-string x)) > > is clunky, and it's really easy to forget to bind *read-eval* to > false. > > I feel like *read-eval* should default to false, and you should have > to explicitly bind it to true. Yes, probably. And possibly the major use-cases of #=() can be handled with the new tagged literals in a better and safer way. Bye, Tassilo -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
