On 2018-02-25 18:29, Matt Wette wrote:
On 02/25/2018 07:35 AM, Amirouche Boubekki wrote:
I have procedures like that in my program:
(define-public (scm->string scm)
(call-with-output-string
(lambda (port)
(write scm port))))
(define-public (string->scm string)
(call-with-input-string string read))
Is it safe to pass to this procedures input from third parties?
TIA!
maybe check (ice-9 sandbox), explained in section 6.18.12 of the 2.2.3
manual
I don't know what are the performance implication to
seriallize / deserialize in a sandbox. This would slow
down every write / read.
The alternative I am thinking about is to use msgpack
but I will loose direct representation of bignum, maybe
it's a good enough strategy. People that need precision
maybe use hdf5 string representation.
