[racket] Is (read) safe?

From: Michael Wilber (mwilber at uccs.edu)
Date: Fri Mar 8 22:46:55 EST 2013

With all these discussions about serialization safety in different
languages (see http://news.ycombinator.com/item?id=5343704 for some
commentary on clojure's default reader for example), I have to wonder:

1. Is racket's (read) "safe" to use in an unsafe context?
2. If not, how can I (read) a value from an untrusted port safely?

For example (and perhaps as a friendly challenge), consider the
following program that might be running on a public port:

    #lang racket
    (require mzlib/thread)

    (run-server 5553
                (lambda (in out)
                  (let loop ()
                    (print (read in) out)
                    (newline out)
                    (flush-output out)

How might an attacker be able to connect to this and evaluate arbitrary
expressions? Using, say, the #s and #lang reader extensions might be

If it is unsafe, how could we make this safe?

Posted on the users mailing list.