There are some well-known vulnerabilities that are a result of 
deserializing untrusted inputs. Are editor snips restrictive enough that 
their deserialization is safe? After all, they are already loaded when a 
file is opened in DrRacket, and a file on the disk may originate from an 
untrusted source. In particular, I would be doing something like this 
(snip-class-name, bytes, and snip-pos are from an untrusted source). The 
whole thing will be wrapped in an exception handler:

        (define snip-class (send (get-the-snip-class-list) find 
snip-class-name)) ; Also handle case where this returns #f
        (define bytes-base-in (make-object editor-stream-in-bytes-base% 
        (define editor-stream-in (make-object editor-stream-in% 
        (define new-snip (send snip-class read editor-stream-in))
        (send text insert new-snip snip-pos)


You received this message because you are subscribed to the Google Groups 
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Reply via email to