<< Back to previous view

[CLJ-904] Document *read-eval* in read, read-string Created: 31/Dec/11  Updated: 22/Feb/13  Resolved: 15/Feb/13

Status: Closed
Project: Clojure
Component/s: None
Affects Version/s: Release 1.1, Release 1.2, Release 1.3, Release 1.4
Fix Version/s: None

Type: Defect Priority: Trivial
Reporter: Tim McCormack Assignee: Unassigned
Resolution: Completed Votes: 6
Labels: None

Attachments: Text File 0002-CLJ-904-Note-about-read-eval-on-docstrings-for-reade.patch    
Patch: Code
Approval: Vetted

 Description   

Even though the #=() reader syntax is "unofficial", *read-eval* should be documented in the appropriate API functions – this is a serious security problem for anyone accepting serialized Clojure data structures. E.g., a system service reading a config file, a server accepting an API request.



 Comments   
Comment by Tim McCormack [ 13/Nov/12 6:49 PM ]

My goodness, I entirely neglected to attach a patch for this! Well, here it is, short and sweet.

Comment by Andy Fingerhut [ 14/Nov/12 2:34 PM ]

Tim, I'm pretty sure that read-line's behavior is safe regardless of the value of read-eval. It only reads characters from the stream without interpretation or evaluation, and returns them as a string. If so, adding the warning to read-line's doc string seems wrong.

Comment by Tim McCormack [ 14/Nov/12 10:06 PM ]

Oops! Replaced the patch.

Comment by Christopher Redinger [ 27/Nov/12 5:36 PM ]

Patch applies cleanly and adds a useful message.

Comment by Steve Miner [ 30/Jan/13 10:15 AM ]

See also discussion on the mailing list:
https://groups.google.com/forum/?fromgroups=#!topic/clojure/qUk-bM0JSGc

Several people who care about safety think that *read-eval* should be false by default. Documentation does not make up for a security hole.

Comment by Steve Miner [ 30/Jan/13 10:44 AM ]

It would be useful to document the interaction between *print-dup* and *read-eval* as well. In most cases, if you use *print-dup* true to preserve exact types, you'll want to bind *read-eval* true to read them. Code that depends on their default values is brittle.

Comment by Andy Fingerhut [ 30/Jan/13 10:52 AM ]

See also the newer ticket CLJ-1153, which has a patch to change read-eval default value to false.

Comment by Andy Fingerhut [ 06/Feb/13 12:38 PM ]

With the recent changes Rich has done to add read-edn and read-edn-string, he has also updated the doc strings of read and read-string to call out the potential security dangers, emphasize that they are intended for use only in reading code and/or data from trusted sources, and to point to the safer read-edn and read-edn-string for data interchange purposes.

The purpose of this ticket seems to be satisfied with those commits.

Generated at Fri Aug 22 04:52:01 CDT 2014 using JIRA 4.4#649-r158309.