This is important to know about for security reasons, also. Specifically, if you are receiving Clojure data structures in text form over the network, and don't set *read-eval* to false, you're vulnerable to a "Clojure injection attack". Someone could send you "(+ 5 #=(System/exit 0))" as a denial-of-service attack, just for starters. I doubt there's a way to make it safe. There's probably no way to force those expressions to run in an applet sanbox, at least without massive kludging. You'd have to vet the strings first, using some non-Clojure-reader parser. Easier to use the Clojure reader and then walk the resulting data structures looking for, say, special sentinel keywords that should be substituted with other things, or that flag something about the following item (say, that it should be converted to a SortedMap).
For storing stuff locally the "EvalReader" should be safe, unless your program runs with elevated privileges compared to the user who runs it (unix setuid or equivalent). In that event though there's a possibility of it being exploited for local privilege escalation. Arbitrary Clojure and Java code could be submitted to be run at the higher privilege level. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -~----------~----~----~----~------~----~------~--~---
