Clojure's reader is designed to provide the types of tasks useful for Lisps; spe... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		fogus on March 8, 2013 \| parent \| context \| favorite \| on: Clojure's Default Reader is Unsafe Clojure's reader is designed to provide the types of tasks useful for Lisps; specifically to take a string and convert it to data structures. However, like most Lisps Clojure has some special syntax that does various tasks at read-time like the #= tag that might not be safe to use as a webform processor, but it's critical to the way that Clojure works. In Clojure 1.5 there are EDN functions that handle a subset of the Clojure syntax and parse strings into data types like numbers, maps and vectors (and others). It's meant to deal with data only and not "reader forms". I wrote a Ring middleware to handle EDN data and recently ported it to use the new 1.5 EDN reader. https://github.com/fogus/ring-edn/blob/master/src/ring/middl... It looks almost exactly like the old clojure.core/read-string except it will not execute any dangerous code.

stouset on March 9, 2013 | [–]

Anything that can turn strings into symbols is dangerous code. Symbols can't be garbage collected, and an attacker can conduct a denial of service by forcing you to load unlimited numbers of uniquely-named symbols.

technomancy on March 9, 2013 | | [–]

Symbols can be GCed as of 1.2.

solussd on March 8, 2013 | [–]

neat!

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact