With all these discussions about serialization safety in different
languages (see http://news.ycombinator.com/item?id=5343704 for some
commentary on clojure's default reader for example), I have to wonder:
1. Is racket's (read) "safe" to use in an unsafe context?
2. If not, how can I (read) a value from an untrusted port safely?
For example (and perhaps as a friendly challenge), consider the
following program that might be running on a public port:
#lang racket
(require mzlib/thread)
(run-server 5553
(lambda (in out)
(let loop ()
(print (read in) out)
(newline out)
(flush-output out)
(loop)))
30)
How might an attacker be able to connect to this and evaluate arbitrary
expressions? Using, say, the #s and #lang reader extensions might be
interesting...
If it is unsafe, how could we make this safe?
____________________
Racket Users list:
http://lists.racket-lang.org/users
