There are some well-known vulnerabilities that are a result of
deserializing untrusted inputs. Are editor snips restrictive enough that
their deserialization is safe? After all, they are already loaded when a
file is opened in DrRacket, and a file on the disk may originate from an
untrusted source. In particular, I would be doing something like this
(snip-class-name, bytes, and snip-pos are from an untrusted source). The
whole thing will be wrapped in an exception handler:
(define snip-class (send (get-the-snip-class-list) find
snip-class-name)) ; Also handle case where this returns #f
(define bytes-base-in (make-object editor-stream-in-bytes-base%
bytes))
(define editor-stream-in (make-object editor-stream-in%
bytes-base-in))
(define new-snip (send snip-class read editor-stream-in))
(send text insert new-snip snip-pos)
Daniel
--
You received this message because you are subscribed to the Google Groups
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to racket-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/racket-users/153d1c59-0343-4ed9-805b-2909499ec98fn%40googlegroups.com.
