This isn't what you are asking, but I wanted to make a comment that there is a
proposed patch to Clojure attached to ticket CLJ-904 that adds warnings to read
and read-string about how their behavior depends upon the value of *read-eval*:
http://dev.clojure.org/jira/browse/CLJ-904
Also, one of the examples for read on ClojureDocs.org defines a
'read-from-file-safely' function showing how to avoid eval behavior:
http://clojuredocs.org/clojure_core/clojure.core/read
Andy
On Jan 29, 2013, at 11:02 PM, Takahiro Hozumi wrote:
> As more and more projects are using edn format for config,
> communication and etc, I think that default value of *read-eval*,
> which is true, is source of vulnerability such as recently reported
> ring issue [1].
> And I don't understand why read-string depends on *read-eval* instead
> of argument.
> I believe optional argument is more preferable.
> What do you think?
>
> [1] Ring 1.0.3 / 1.1.7 released to fix security flaw
> https://groups.google.com/group/clojure/browse_thread/thread/7b0fe662867b9124
--
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
