thank you, this was an easy read even for me
On Mon, Feb 11, 2013 at 7:32 PM, Andy Fingerhut <andy.finger...@gmail.com>wrote: > And just in case it gets edited by someone else before you have a chance > to read it, I've copied and pasted the current version below for reference. > Correction/comments/questions all welcome. > > On Feb 11, 2013, at 10:29 AM, Andy Fingerhut wrote: > > > Following up on the thread "*read-eval* vulnerability", I started > writing some documentation for how to read Clojure data safely. That isn't > ready yet, but before I get the time to finish that I wanted to quickly get > out a warning that is obvious to some, but probably not all: > > > > NEVER use clojure.core/read or read-string for reading data from > untrusted sources, only trusted ones. Even from trusted sources, binding > *read-eval* to false is probably a good idea, but that depends on your > particular use case. > > > > > > An example I wrote on ClojureDocs.org for function clojure.core/read > several months ago was very badly wrong. It said that binding *read-eval* > to false would cause clojure.core/read to read data safely, even if that > data came from an untrusted source. > > > > I have modified that example to be a lot longer, and hopefully as > correct and scary as it should be. Please take a look at it if you use > read or read-string anywhere in your Clojure code: > > > > http://clojuredocs.org/clojure_core/clojure.core/read > > > > Andy > > > ;; WARNING: You SHOULD NOT use clojure.core/read or > clojure.core/read-string to > ;; read data from untrusted sources. They were designed only for reading > Clojure > ;; code and data from trusted sources (e.g. files that you know you wrote > ;; yourself, and no one else has permission to modify them). > > ;; Instead, either: > > ;; (a) use another data serialization format such as JSON, XML, etc. and a > ;; library for reading them that you trust not to have vulnerabilities, or > > ;; (b) if you want a serialization format that can be read safely and > looks like > ;; Clojure data structures, use edn (https://github.com/edn-format/edn), > for > ;; which Clojure 1.5 has functions clojure.edn/read and > clojure.edn/read-string > ;; to read them safely. > > ;; You definitely should not use clojure.core/read or read-string if > *read-eval* > ;; has its default value of true, because an attacker could cause your > ;; application to execute arbitrary code while it is reading. Example: > > user=> (read-string "#=(clojure.java.shell/sh \"echo\" \"hi\")") > {:exit 0, :out "hi\n", :err ""} > > ;; It is straightforward to modify the example above into more destructive > ;; ones that remove all of your files, copy them to someone else's computer > ;; over the Internet, install Trojans, etc. > > ;; Even if you do bind *read-eval* to false first, like so: > > (defn read-string-unsafely [s] > (binding [*read-eval* false] > (read-string s))) > > ;; you may hope you are safe reading untrusted data that way, but in > Clojure 1.4 > ;; and earlier, an attacker can send data that causes your system to > execute > ;; arbitrary Java constructors. Most of these are benign, but it only > takes one > ;; to ruin your application's day. Examples that should scare you: > > ;; This causes a socket to be opened, as long as the JVM > ;; sandboxing allows it. > (read-string-unsafely "#java.net.Socket[\"www.google.com\" 80]") > > ;; This causes precious-file.txt to be created if it doesn't > ;; exist, or if it does exist, its contents will be erased (given > ;; appropriate JVM sandboxing permissions, and underlying OS file > ;; permissions). > (read-string-unsafely "#java.io.FileWriter[\"precious-file.txt\"]") > > ;; The particular issue of executing arbitrary Java constructors used in > the > ;; examples above no longer works in Clojure 1.5 when *read-eval* is false. > ;; Even so, you SHOULD NEVER USE clojure.core/read or > clojure.core/read-string > ;; for reading untrusted data. > > ;; If you understand all of the above, and want to use read or read-string > to > ;; read data from a _trusted_ source, continue on below. > > ;; read wants *in* set to a java.io.PushbackReader. > ;; with-open sets *in* and closes it after it's done. > ;; *read-eval* specifies whether to evaluate #=() forms > ;; when reading. > (defn read-from-file-with-trusted-contents [filename] > (with-open > [r (java.io.PushbackReader. > (clojure.java.io/reader filename))] > (binding [*read-eval* false] > (read r)))) > > user=> (spit "testfile.txt" "{:a 1 :b 2 :c 3}") > nil > user=> (read-from-file-with-trusted-contents "testfile.txt") > {:a 1, :b 2, :c 3} > > -- > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to clojure+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Please correct me if I'm wrong or incomplete, even if you think I'll subconsciously hate it. -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
