The socket repl is inherently not secure. It allows anyone to connect and run arbitrary code on the process. However, by default it is not running - you need to add extra system properties to start the server(s). If someone can start your server with arbitrary system properties, I'd say that is a bigger problem.
On Friday, April 13, 2018 at 12:51:07 PM UTC-5, Didier wrote: > > I'd love an independent penetration and security audit of the Clojure > codebase. Especially around the socket repl in a localhost restricted way > and making sure its not exploitable. > > I wonder how much it costs, and if Clojurist together could have one > funded. > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
