[Bese-devel] Re: read-from-client-string

Marco Baringer mb at bese.it
Tue May 9 17:10:36 UTC 2006


"Nathan Bird" <nathan at acceleration.net> writes:

> There are a number of cases of read-from-string in ucw_dev right now. Most
> of these are in form.lisp, but there are a few scattered elsewhere as well.
> Almost every case of this needs to be surrounded in let *read-eval* be nil
> block. This is so that strings being read in from the client can't be
> maliciously constructed to execute arbitrary code. 
>
> Think about someone entering as their age "#.(clsql:query "DELETE * FROM
> contacts")"... whoops!

afaicr the only places ucw needs to use read-from-string are:

1) the admin app. 'nuff said.

2) parsing numbers. we really shouldn't be using the lisp reader for
   this anyway, what we really want is just a floating point
   parser. openmcl has ccl::parse-float, i'm sure other lisps have it
   buryed somewhere. if not we could just cut 'n paste someone's
   implementation into arnesi (though i'm loath to add more code we
   have to maintain).

> What about setting this up surrounding every request? Wrap a suitably
> high-level handle-request function with a binding for *read-eval* to nil to
> help prevent that class of vulnerability to begin with.

personally it smells bad to me, i'd be happier if we didn't. if you
want it (and can understand their being situations where you do) it's
a simple as:

(defmethod ucw::service :around ((app standard-application) (context request-context))
  (let ((*read-eval* nil))
    (call-next-method)))

> In the meantime I added a read-from-client-string function to helpers.lisp
> which just does the binding and read-from-string call. Form.lisp now uses
> this. Other places that it might be appropriate is in the aserve backend
> where it is parsing headers. I didn't touch anything here since I don't have
> a working aserve to test this with.  

it's a good idea, and i'll leave it in for now, but i'd prefer
avoiding read-string entirely.

> Admin.lisp also calls read-from-string, but since the result is immediately
> being passed to eval itself, I don't think that would really help anything
> :-)

:)

-- 
-Marco
Ring the bells that still can ring.
Forget the perfect offering.
There is a crack in everything.
That's how the light gets in.
	-Leonard Cohen




More information about the bese-devel mailing list