I don't know much about this specific case, but see Robby's comment about how "DrRacket can run user (untrusted) code in certain situations" at https://github.com/racket/gui/issues/157. A concrete problem I found is that you can have a snip running `struct->vector` and it will successfully extract private fields of that struct value, even though it won't be able to if you do that in normal circumstances.
On Thu, Aug 20, 2020 at 8:34 AM Daniel Melcer <dmelc...@gmail.com> wrote: > There are some well-known vulnerabilities that are a result of > deserializing untrusted inputs. Are editor snips restrictive enough that > their deserialization is safe? After all, they are already loaded when a > file is opened in DrRacket, and a file on the disk may originate from an > untrusted source. In particular, I would be doing something like this > (snip-class-name, bytes, and snip-pos are from an untrusted source). The > whole thing will be wrapped in an exception handler: > > (define snip-class (send (get-the-snip-class-list) find > snip-class-name)) ; Also handle case where this returns #f > (define bytes-base-in (make-object editor-stream-in-bytes-base% > bytes)) > (define editor-stream-in (make-object editor-stream-in% > bytes-base-in)) > (define new-snip (send snip-class read editor-stream-in)) > (send text insert new-snip snip-pos) > > Daniel > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/153d1c59-0343-4ed9-805b-2909499ec98fn%40googlegroups.com > <https://groups.google.com/d/msgid/racket-users/153d1c59-0343-4ed9-805b-2909499ec98fn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CADcuegtnpb3h_JkDFmBdhiosJkz948ypkhmoj1vZc7vq5SAR0w%40mail.gmail.com.
