0002-CLJ-904-Note-about-read-eval-on-docstrings-for-reade.patch
[CLJ-904] Document *read-eval* in read, read-string Created: 31/Dec/11 Updated: 22/Feb/13 Resolved: 15/Feb/13 |
|
| Status: | Closed |
| Project: | Clojure |
| Component/s: | None |
| Affects Version/s: | Release 1.1, Release 1.2, Release 1.3, Release 1.4 |
| Fix Version/s: | None |
| Type: | Defect | Priority: | Trivial |
| Reporter: | Tim McCormack | Assignee: | Unassigned |
| Resolution: | Completed | Votes: | 6 |
| Labels: | None | ||
| Attachments: |
0002-CLJ-904-Note-about-read-eval-on-docstrings-for-reade.patch
|
| Patch: | Code |
| Approval: | Vetted |
| Description |
|
Even though the #=() reader syntax is "unofficial", *read-eval* should be documented in the appropriate API functions – this is a serious security problem for anyone accepting serialized Clojure data structures. E.g., a system service reading a config file, a server accepting an API request. |
| Comments |
| Comment by Tim McCormack [ 13/Nov/12 6:49 PM ] |
|
My goodness, I entirely neglected to attach a patch for this! Well, here it is, short and sweet. |
| Comment by Andy Fingerhut [ 14/Nov/12 2:34 PM ] |
|
Tim, I'm pretty sure that read-line's behavior is safe regardless of the value of read-eval. It only reads characters from the stream without interpretation or evaluation, and returns them as a string. If so, adding the warning to read-line's doc string seems wrong. |
| Comment by Tim McCormack [ 14/Nov/12 10:06 PM ] |
|
Oops! Replaced the patch. |
| Comment by Christopher Redinger [ 27/Nov/12 5:36 PM ] |
|
Patch applies cleanly and adds a useful message. |
| Comment by Steve Miner [ 30/Jan/13 10:15 AM ] |
|
See also discussion on the mailing list: Several people who care about safety think that *read-eval* should be false by default. Documentation does not make up for a security hole. |
| Comment by Steve Miner [ 30/Jan/13 10:44 AM ] |
|
It would be useful to document the interaction between *print-dup* and *read-eval* as well. In most cases, if you use *print-dup* true to preserve exact types, you'll want to bind *read-eval* true to read them. Code that depends on their default values is brittle. |
| Comment by Andy Fingerhut [ 30/Jan/13 10:52 AM ] |
|
See also the newer ticket |
| Comment by Andy Fingerhut [ 06/Feb/13 12:38 PM ] |
|
With the recent changes Rich has done to add read-edn and read-edn-string, he has also updated the doc strings of read and read-string to call out the potential security dangers, emphasize that they are intended for use only in reading code and/or data from trusted sources, and to point to the safer read-edn and read-edn-string for data interchange purposes. The purpose of this ticket seems to be satisfied with those commits. |