Walter Tetzner <
robot.nin...@gmail.com> writes:
> On Wednesday, May 9, 2012 9:35:57 AM UTC-4, Tassilo Horn wrote:
>
>> I don't think code-as-data contributes to code injection
>> vulnerability, neither positively nor negatively. Simply don't
>> `eval` code/data from sources you don't trust.
>
> I think it does contribute through the reader. If you are using
> Clojure sexps as your data format, and are calling `read' or
> 'read-string', you have an opening for code injection.
Ah, right, I've forgotten about the #=() syntax.
But if you `print` and `read` your data to/from files/databases/whatever
and there's a #=(explode-system) in it, then your system has been
compromised already and you have a problem anyway.
> Calling
>
> (binding [*read-eval* false]
> (read-string x))
>
> is clunky, and it's really easy to forget to bind *read-eval* to
> false.
>
> I feel like *read-eval* should default to false, and you should have
> to explicitly bind it to true.
Yes, probably. And possibly the major use-cases of #=() can be handled
with the new tagged literals in a better and safer way.
Bye,
Tassilo