On Feb 12, 2013, at 9:57 AM, Phil Hagelberg wrote:
>
> Andy Fingerhut writes:
>
>> It isn't just clojure.core/read executing code that can consume CPU
>> cycles that is the issue, it is clojure.core/read executing code that
>> can wreak havoc with your system and allow attackers to gain remote
>> control of it.
>
> Are there specific known problems with binding *read-eval* to false?
> Relying on read-edn makes it difficult to write libraries that are
> backwards-compatible.
I don't know of any problems with Clojure 1.5's clojure.core/read or
read-string while binding *read-eval* to false. I do know of problems with
them when using Clojure 1.4 and earlier (see below).
I know it is strongly recommended to use an edn reader instead of the full
clojure.core/read and read-string, for data from untrusted sources.
One possibility I left out of my previous message, for lack of remembering it,
is that the new contrib lib tools.reader provides an edn reader that works with
Clojure 1.4 and later (it could be made to work with Clojure 1.3 if there is
enough interest -- it currently uses 1.4-specific ex-info).
http://github.com/clojure/tools.reader
http://build.clojure.org/job/tools.reader-test-matrix
Examples of dangerous side effects that can occur with clojure.core/read and
read-string in Clojure 1.4 and earlier:
(defn read-string-unsafely [s]
(binding [*read-eval* false]
(read-string s)))
;; This causes a socket to be opened, as long as the JVM
;; sandboxing allows it.
(read-string-unsafely "#java.net.Socket[\"www.google.com\" 80]")
;; This causes precious-file.txt to be created if it doesn't
;; exist, or if it does exist, its contents will be erased (given
;; appropriate JVM sandboxing permissions, and underlying OS file
;; permissions).
(read-string-unsafely "#java.io.FileWriter[\"precious-file.txt\"]")
Those examples throw exceptions without calling the constructors in Clojure
1.5-RC15.
Andy
--
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
