[Bese-devel] read-from-client-string

Nathan Bird nathan at acceleration.net
Mon May 8 18:02:52 UTC 2006


There are a number of cases of read-from-string in ucw_dev right now. Most
of these are in form.lisp, but there are a few scattered elsewhere as well.
Almost every case of this needs to be surrounded in let *read-eval* be nil
block. This is so that strings being read in from the client can't be
maliciously constructed to execute arbitrary code. 

Think about someone entering as their age "#.(clsql:query "DELETE * FROM
contacts")"... whoops!

What about setting this up surrounding every request? Wrap a suitably
high-level handle-request function with a binding for *read-eval* to nil to
help prevent that class of vulnerability to begin with.

In the meantime I added a read-from-client-string function to helpers.lisp
which just does the binding and read-from-string call. Form.lisp now uses
this. Other places that it might be appropriate is in the aserve backend
where it is parsing headers. I didn't touch anything here since I don't have
a working aserve to test this with.  

Admin.lisp also calls read-from-string, but since the result is immediately
being passed to eval itself, I don't think that would really help anything
:-)

It's in ucw_public.

Nathan Bird




More information about the bese-devel mailing list