[racket-users] Racket slower than Chez Scheme on interpreter benchmark, potential low hanging fruit?

2021-02-28 Thread philngu...@gmail.com
There’s this benchmark on BF interpreter where the Racket and Chez Scheme implementations are very similar, but Chez Scheme is much faster than Racket 8.0 at

Re: [racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread Ryan Kramer
Thanks everyone. I feel fine to use `read` for this use case now. I overlooked `call-with-default-reading-parameterization` which specifically mentions "reading from untrusted sources" so that is very reassuring. On Sunday, February 28, 2021 at 3:36:29 PM UTC-6 John K wrote: > > > On Feb 28,

Re: [racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread John Kemp
> On Feb 28, 2021, at 2:50 PM, Ryan Kramer wrote: > > […] > > I could use JSON or XML, but that just seems silly when you have a Racket > client talking to a Racket server. > > Are my concerns founded? Are there any existing solutions? Thanks for any > advice. I don’t think this

Re: [racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread Sage Gerard
Typo: "but the library itself leverages the reader" should read "but if the library itself leverages the reader" On 2/28/21 4:20 PM, Sage Gerard wrote: > Does call-with-default-reading-parameterization help? > >

Re: [racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread Sage Gerard
Does call-with-default-reading-parameterization help? https://docs.racket-lang.org/reference/Reading.html?q=accept-compiled#%28def._%28%28lib._racket%2Fprivate%2Fmisc..rkt%29._call-with-default-reading-parameterization%29%29 The parameters you are seeing re: accepting -lang, -reader are for when

Re: [racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread Robby Findler
Leaving aside bugs, the intention with those parameters you mention (-lang, -reader, -compiled) is to help with security. They certainly would allow for code execution and they are off by default precisely because they allow that. I think that the general principle (read should, with the default

[racket-users] Is it safe to `read` untrusted input?

2021-02-28 Thread Ryan Kramer
I want to send some Racket structs across a network. I know that I can use prefab structs, serializable-structs, or even `eval` with a carefully curated namespace. I was trying to think of security problems with the eval approach and now I've become more afraid of `read` than I am of eval. And