Reported by dresweng...@dreish.org, Jan 06, 2009
Like any good Lisp, Clojure can compile and run code while reading, read and compile code while
running, and read and run code while compiling.
Unfortunately that means it isn't safe for an application to use (read) to read something from an
untrusted source. If the input stream contains, e.g., #=(eval (def core-app-function #(throw
(Exception.)))), the application would blow up.
Feature request is for a version of the reader that has #= shut off, for reading untrusted data.
(Discussion was on #clojure; rhickey asked me to add this, so there's no Google Group discussion
that I'm aware of.)
Comment 1 by christophe.grand, Jan 17, 2009
the aforementioned discussion: http:Comment 2 by the.stuart.sierra, Feb 18, 2009
Common Lisp has *read-eval*:
A similar flag might be an easy way to implement a "safe" reader.
Comment 3 by jhawk28, Mar 17, 2009
adds the *read-eval*
2.1 KB Download
Comment 4 by richhickey, Apr 12, 2009
Patch applied - r1347 - thanks!