Following up on the thread "*read-eval* vulnerability", I started writing some
documentation for how to read Clojure data safely. That isn't ready yet, but
before I get the time to finish that I wanted to quickly get out a warning that
is obvious to some, but probably not all:
NEVER use clojure.core/read or read-string for reading data from untrusted
sources, only trusted ones. Even from trusted sources, binding *read-eval* to
false is probably a good idea, but that depends on your particular use case.
An example I wrote on ClojureDocs.org for function clojure.core/read several
months ago was very badly wrong. It said that binding *read-eval* to false
would cause clojure.core/read to read data safely, even if that data came from
an untrusted source.
I have modified that example to be a lot longer, and hopefully as correct and
scary as it should be. Please take a look at it if you use read or read-string
anywhere in your Clojure code:
http://clojuredocs.org/clojure_core/clojure.core/read
Andy
--
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
