[racket] Is (read) safe?

From: Robby Findler (robby at eecs.northwestern.edu)
Date: Fri Mar 8 22:55:43 EST 2013

I think the only thing they can do with that program is run it out of
memory (unless there is a bug). All such code execution things built into
read are, by default, disabled. You can avoid running out of memory with
either custodian memory limits, or by just using the sandbox library.

Robby


On Fri, Mar 8, 2013 at 9:46 PM, Michael Wilber <mwilber at uccs.edu> wrote:

> With all these discussions about serialization safety in different
> languages (see http://news.ycombinator.com/item?id=5343704 for some
> commentary on clojure's default reader for example), I have to wonder:
>
> 1. Is racket's (read) "safe" to use in an unsafe context?
> 2. If not, how can I (read) a value from an untrusted port safely?
>
> For example (and perhaps as a friendly challenge), consider the
> following program that might be running on a public port:
>
>     #lang racket
>     (require mzlib/thread)
>
>     (run-server 5553
>                 (lambda (in out)
>                   (let loop ()
>                     (print (read in) out)
>                     (newline out)
>                     (flush-output out)
>                     (loop)))
>                 30)
>
> How might an attacker be able to connect to this and evaluate arbitrary
> expressions? Using, say, the #s and #lang reader extensions might be
> interesting...
>
> If it is unsafe, how could we make this safe?
> ____________________
>   Racket Users list:
>   http://lists.racket-lang.org/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20130308/b432ea00/attachment-0001.html>

Posted on the users mailing list.