On 23 Sep., 03:26, John Harrop <jharrop...@gmail.com> wrote:
> On Tue, Sep 22, 2009 at 6:46 PM, Eric Tschetter <eched...@gmail.com> wrote:
> But, this looks like a gaping security hole. You're taking an HTTP POST
> request body and eval'ing it. Someone will, sooner or later, try typing
> "(delete all the secret files)" into the web form and clicking Send. Or
> worse, something that will actually delete something or grant privilege.
> Sending "(doall (iterate inc 1))" will crash the server with OOME after a
> lengthy 100%-cpu-use hang while it fills memory with consecutive Integer
> objects, for a cheap and easy DoS attack. And so forth.
Remember that clojure runs in the JVM and a JVM can have a
SecurityManager which can be configured to allow or deny at most any
dangeroues operatÃon. A java policy file will to the trick, I think.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
-~----------~----~----~----~------~----~------~--~---
