I saw that this issue was fixed in Clojure 1.9-alpha20. It's tracked in
https://dev.clojure.org/jira/browse/CLJ-2204. If you immediately wrote it
off as not affecting you because you never use clojure.inspector, it looks
like it also affects APersistentMap which is used by everyone. You still
need
Hey Alex,
Thanks for digging and the quick reply. I missed your reply originally
(apparently I have much to learn about properly subscribing to google
groups), so sorry about the delay.
Your understanding is completely correct and your assessment around the
best way to mitigate this issue also
Thanks dropping a line Ian. I dug into this a little to understand it
better, would be happy for any corrections.
It seems the prerequisite for an attack like this is to have a server that
deserializes objects from an untrusted source. It should be obvious that
this is a bad idea. The attack bo
At its core, it runs eval on untrusted data?
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To uns
Dear Clojure community,
First off, apologies for directing this at the general clojure mailing
list. I was looking for a better destination, but I couldn't find any
obvious person or private mailing list to direct this to; hopefully from
here this can get in front of anyone who may be intereste
