On Wed, Aug 26, 2009 at 1:13 PM, John Harrop wrote:
> This is important to know about for security reasons, also. Specifically, if
> you are receiving Clojure data structures in text form over the network, and
> don't set *read-eval* to false, you're vulnerable to a "Clojure injection
> attack". S
This is important to know about for security reasons, also. Specifically, if
you are receiving Clojure data structures in text form over the network, and
don't set *read-eval* to false, you're vulnerable to a "Clojure injection
attack". Someone could send you "(+ 5 #=(System/exit 0))" as a
denial-o
On Wed, Aug 26, 2009 at 1:13 PM, John Harrop wrote:
> This is important to know about for security reasons, also. Specifically,
> if you are receiving Clojure data structures in text form over the network,
> and don't set *read-eval* to false, you're vulnerable to a "Clojure
> injection attack".
That's great! Thanks a lot for the explanation.
On Aug 25, 2:58 pm, Richard Newman wrote:
> Incidentally, you can find this stuff out by reading the source, if
> you know where to look. It's a reader macro, so LispReader.java is the
> best place to start. Look for the metachar '=', which cro
Incidentally, you can find this stuff out by reading the source, if
you know where to look. It's a reader macro, so LispReader.java is the
best place to start. Look for the metachar '=', which crops up on line
91:
http://github.com/richhickey/clojure/blob/14316ae2110a779ffc8ac9c3da3f1c41852
> It's undocumented in http://clojure.org/reader. What is its name? What
> does it precisely do?
It's "EvalReader". What it does is cause the expression to be
evaluated at read time:
user=> (read-string "(+ 5 #=(* 9 9))")
(+ 5 81)
You can prevent this occurring by binding *read-eval*:
user=>
#= is a real Clojure reader macro. It often shows up when using *print-
dup*:
Clojure 1.0.0-
user=> (binding [*print-dup* true] (println {:a 3, :b 2}))
#=(clojure.lang.PersistentArrayMap/create {:a 3, :b 2})
nil
user=> #=(clojure.lang.PersistentArrayMap/create {:a 3, :b 2})
{:b 2, :a 3}
It's und