Clojure JIRA http://dev.clojure.org/jira This file is an XML representation of an issue en-us 4.4 649 25-07-2011 [CLJ-904] Document *read-eval* in read, read-string http://dev.clojure.org/jira/browse/CLJ-904 Clojure <p>Even though the #=() reader syntax is "unofficial", &#42;read-eval&#42; should be documented in the appropriate API functions &#8211; this is a serious security problem for anyone accepting serialized Clojure data structures. E.g., a system service reading a config file, a server accepting an API request.</p> CLJ-904 Document *read-eval* in read, read-string Defect Trivial Closed Completed Unassigned Tim McCormack Sat, 31 Dec 2011 09:39:50 -0600 Fri, 22 Feb 2013 09:02:45 -0600 Fri, 15 Feb 2013 11:00:12 -0600 Release 1.1 Release 1.2 Release 1.3 Release 1.4 6 5 <p>My goodness, I entirely neglected to attach a patch for this! Well, here it is, short and sweet.</p> <p>Tim, I'm pretty sure that read-line's behavior is safe regardless of the value of <b>read-eval</b>. It only reads characters from the stream without interpretation or evaluation, and returns them as a string. If so, adding the warning to read-line's doc string seems wrong.</p> <p>Oops! Replaced the patch.</p> <p>Patch applies cleanly and adds a useful message.</p> <p>See also discussion on the mailing list: <br/> <a href="https://groups.google.com/forum/?fromgroups=#!topic/clojure/qUk-bM0JSGc">https://groups.google.com/forum/?fromgroups=#!topic/clojure/qUk-bM0JSGc</a></p> <p>Several people who care about safety think that &#42;read-eval* should be false by default. Documentation does not make up for a security hole.</p> <p>It would be useful to document the interaction between &#42;print-dup* and &#42;read-eval* as well. In most cases, if you use &#42;print-dup* true to preserve exact types, you'll want to bind &#42;read-eval* true to read them. Code that depends on their default values is brittle.</p> <p>See also the newer ticket <a href="http://dev.clojure.org/jira/browse/CLJ-1153" title="Change *read-eval* default value to false"><del>CLJ-1153</del></a>, which has a patch to change <b>read-eval</b> default value to false.</p> <p>With the recent changes Rich has done to add read-edn and read-edn-string, he has also updated the doc strings of read and read-string to call out the potential security dangers, emphasize that they are intended for use only in reading code and/or data from trusted sources, and to point to the safer read-edn and read-edn-string for data interchange purposes.</p> <p>The purpose of this ticket seems to be satisfied with those commits.</p> Approval Vetted Global Rank Patch Code