There are some well-known vulnerabilities that are a result of
deserializing untrusted inputs. Are editor snips restrictive enough that
their deserialization is safe? After all, they are already loaded when a
file is opened in DrRacket, and a file on the disk may originate from an
untrusted source. In particular, I would be doing something like this
(snip-class-name, bytes, and snip-pos are from an untrusted source). The
whole thing will be wrapped in an exception handler:
(define snip-class (send (get-the-snip-class-list) find
snip-class-name)) ; Also handle case where this returns #f
(define bytes-base-in (make-object editor-stream-in-bytes-base%
bytes))
(define editor-stream-in (make-object editor-stream-in%
bytes-base-in))
(define new-snip (send snip-class read editor-stream-in))
(send text insert new-snip snip-pos)
Daniel
--
You received this message because you are subscribed to the Google Groups
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/racket-users/153d1c59-0343-4ed9-805b-2909499ec98fn%40googlegroups.com.
