nice, that's a good way to check for this type of thing - ring only uses
this in the Cookie implementation of SessionStore, is that right?
ignacio
On Fri, Jul 11, 2014 at 12:24 PM, James Reeves
wrote:
> Ring uses a post condition to guard against this:
>
> (defn- ^String serialize [x]
>
> {:
Ring uses a post condition to guard against this:
(defn- ^String serialize [x]
{:post [(= x (edn/read-string %))]}
(pr-str x))
- James
On 11 July 2014 20:13, Ignacio Thayer wrote:
>
> we noticed this possibility of edn injection when mixing validated and
> unvalidated data into a single
we noticed this possibility of edn injection when mixing validated and
unvalidated data into a single edn blob. it's hard to exploit, and in
some sense it's obvious but i thought i'd share it since it caught us
off-guard and requires greater care than when serializing w/ json for
example.
Given a
