|
| From: | Amirouche Boubekki |
| Subject: | Re: Is there any security risk related to the use of the reader? |
| Date: | Sun, 25 Feb 2018 18:38:29 +0100 |
| User-agent: | Roundcube Webmail/1.1.2 |
On 2018-02-25 18:29, Matt Wette wrote:
On 02/25/2018 07:35 AM, Amirouche Boubekki wrote:I have procedures like that in my program: (define-public (scm->string scm) (call-with-output-string (lambda (port) (write scm port)))) (define-public (string->scm string) (call-with-input-string string read)) Is it safe to pass to this procedures input from third parties? TIA!maybe check (ice-9 sandbox), explained in section 6.18.12 of the 2.2.3 manual
I don't know what are the performance implication to seriallize / deserialize in a sandbox. This would slow down every write / read. The alternative I am thinking about is to use msgpack but I will loose direct representation of bignum, maybe it's a good enough strategy. People that need precision maybe use hdf5 string representation.
| [Prev in Thread] | Current Thread | [Next in Thread] |