Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m looking for an easy and safe way to parse a map, and only a map, from a string supplied by an untrusted source. The map contains keywords and numbers. What are the security concerns of using read to do this?
readis by default totally unsafe, it allows arbitrary code execution. Try(read-string "#=(println \"hello\")")as an example.You can make it safer by binding
*read-eval*to false. This will cause an exception to be triggered if there#=notation is used. For example:(binding [*read-eval* false] (read-string "#=(println \"hello\")"))Finally, depending on how you are using it there is a potential denial of service attack by supplying a large number of keywords (:foo, :bar). Keywords are interned and never freed so if enough are used the process will run out of memory. There’s some discussion about that on the clojure-dev list.