Disabling it is definitely unnecessary. As you said before, we go as far as replacing the '.' special form with our own special safe dot that makes Java interop safe.
As a side note, clojurebot doesn't actually use clj-sandbox (yet, hint hiredman, hint), but sexpbot does. _ato hasn't broken sexpbot in a while. ;) On May 6, 1:04 pm, "Heinz N. Gies" <he...@licenser.net> wrote: > On May 6, 2010, at 20:57 , Anniepoo wrote: > > > Mibu - I've kind of gone around this track as well. > > My first reaction to the 'whitelist' was that it was kind of kludgy, > > and fought it for a long time, but after a lot of looking for other > > ways, I'm with Licenser, it's the best way to do it. > > Whitelists are indeed the only way to go, blacklists are not a option > since it is too easy to forget something and the only other thing left I can > imagine is a smart sandbox that works with actually understanding the code > and I'm not quite done with that yet :P.. > > > And yes, you have to disable java interop not because you can't > > sandbox java but because it makes a backdoor to allow execution of > > arbitrary clojure. > > I don't think you have to disable it, just restrict it since you can indeed > police > java code just good as clojure code. clj-sandbox works at the 'top' of a > function > so if a function x is whitelisted and x calls something that isn't - it still > allows x. > This is not a but but a feature here, it does this for a good reason, being > that > often you want to wrap a generally insecured function in a secure wrapper > allowing the sandbox limited access to this functionality. > > Regards, > Heinz > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with your > first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group > athttp://groups.google.com/group/clojure?hl=en -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
