Re: Is there any security risk related to the use of the reader?

2018-03-01 Thread Amirouche Boubekki
On 2018-03-02 00:56, Mark H Weaver wrote: I would not consider Guile's 'read' to be trustworthy when processing potentially malicious inputs. Mark Thanks for the input. FWIW, I've written a procedure 'read' that is AFAIK safe but can _fail_ on malicious input. It can read: -

Re: Is there any security risk related to the use of the reader?

2018-03-01 Thread Mark H Weaver
Amirouche Boubekki writes: > I have procedures like that in my program: > > (define-public (scm->string scm) > (call-with-output-string > (lambda (port) > (write scm port > > (define-public (string->scm string) > (call-with-input-string string read)) >

Re: Is there any security risk related to the use of the reader?

2018-02-28 Thread Christopher Lemmer Webber
Amirouche Boubekki writes: > Seems like 'read' is unsafe against arbitrary code execution > via srfi-10 and segfault or consume the whole memory on invalid > input. Yep... I think the answer is to write a safer read in scheme.

Re: Is there any security risk related to the use of the reader?

2018-02-25 Thread Amirouche Boubekki
On 2018-02-25 18:35, Christopher Lemmer Webber wrote: Luckily I kept notes on this... the answer is not very if you're snarfing stuff over the wire! : paroneayea: relatedly, : http://git.savannah.gnu.org/cgit/guile.git/commit/?id=e68dd5c601ef7975507d4118bcc2ad334b0450b2 : i suppose

Re: Is there any security risk related to the use of the reader?

2018-02-25 Thread Amirouche Boubekki
On 2018-02-25 18:29, Matt Wette wrote: On 02/25/2018 07:35 AM, Amirouche Boubekki wrote: I have procedures like that in my program: (define-public (scm->string scm)   (call-with-output-string     (lambda (port)   (write scm port (define-public (string->scm string)  

Re: Is there any security risk related to the use of the reader?

2018-02-25 Thread Christopher Lemmer Webber
Luckily I kept notes on this... the answer is not very if you're snarfing stuff over the wire! : paroneayea: relatedly, : http://git.savannah.gnu.org/cgit/guile.git/commit/?id=e68dd5c601ef7975507d4118bcc2ad334b0450b2 : i suppose that doc update doesn't touch security at all tho...

Re: Is there any security risk related to the use of the reader?

2018-02-25 Thread Amirouche Boubekki
On 2018-02-25 16:35, Amirouche Boubekki wrote: I have procedures like that in my program: (define-public (scm->string scm) (call-with-output-string (lambda (port) (write scm port (define-public (string->scm string) (call-with-input-string string read)) Is it safe to pass to

Re: Is there any security risk related to the use of the reader?

2018-02-25 Thread Matt Wette
On 02/25/2018 07:35 AM, Amirouche Boubekki wrote: I have procedures like that in my program: (define-public (scm->string scm)   (call-with-output-string     (lambda (port)   (write scm port (define-public (string->scm string)   (call-with-input-string string read)) Is it safe to