[plt-scheme] eval when reading?

From: Ryan Culpepper (ryan_sml at yahoo.com)
Date: Fri Sep 8 03:49:23 EDT 2006

Actually, there effectively is: #reader extensions trigger a dynamic
require based on the following datum. The default value of the
current-reader-guard parameter allows planet module paths, so
effectively arbitrary code can be executed by inputs containing
#reader, *if* #reader is enabled. By default, it isn't: the parameter
that enables #reader extensions, read-accept-reader, has a default
value of #f.

There is also a current-readtable parameter. You should make sure
that your web app cannot change the current-readtable, or you can
parameterize it to #f (the default mzscheme behavior) when you fetch
the input.

Section 7.9.1.3 of the mzscheme manual lists the parameters that
affect the reader. Section 11.2.4 describes the behavior of the
default reader, and Section 11.2.8 talks about readtables.

Ryan

--- Noel Welsh <noelwelsh at yahoo.com> wrote:

> There isn't, and MzScheme allows fine grained control over
> what you allow evaled code to do.  There are two main
> mechanisms:
> 
>   - you can eval code in a custom namespace containing only
> those functions you allow
> 
>   - you can use various security managers to disable file
> and network access.
> 
> In addition to the MzScheme docs, see:
> 
> http://schemecookbook.org/Cookbook/DynamicEvalCustomNamespace
> 
> http://schemecookbook.org/Cookbook/DynamicUntrustedEval
> 
> HTH,
> Noel
> 
> --- Paul Graham <pg at ycombinator.com> wrote:
> 
> > Is there anything in mzscheme like the #. of CL, which
> > causes
> > its arg to be evaluated when encountered by read?
> > 
> > I'm asking mainly because I'm hoping if there is, it's
> > turned
> > off by default, because I'm planning to call read on
> > user-submitted
> > input in a web app, and I don't want this to be a
> > security hole.
> > 
> > Thanks!  --pg
> > _________________________________________________
> >   For list-related administrative tasks:
> >   http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> > 
> 
> 
> Email: noelwelsh <at> yahoo <dot> com   noel <at> untyped <dot> com
> AIM: noelhwelsh
> Blogs: http://monospaced.blogspot.com/ 
> http://www.untyped.com/untyping/
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> _________________________________________________
>   For list-related administrative tasks:
>   http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> 



Posted on the users mailing list.