Thank you! Is it possible to safely load untrusted module with dynamic-require?
пятница, 22 октября 2021 г. в 22:59:57 UTC+5, Robby Findler: > On Fri, Oct 22, 2021 at 12:43 PM Matthew Flatt <[email protected]> wrote: > >> At Thu, 21 Oct 2021 07:37:12 -0700 (PDT), "[email protected]" wrote: >> > I've read about protect-out and current-code-inspector, but I still >> cannot >> > understand, how to require a module and forbid it to run protected >> modules. >> > >> > Something like (require untrusted-foo) (foo-proc) but to forbid >> foo-proc to >> > use ffi/unsafe. >> >> If you use >> >> (current-code-inspector (make-inspector)) >> (require untrusted-foo) >> >> > Just in case: I think Matthew as thinking of two subsequent REPL > interactions (or calls to eval or suchlike). If you put those two together > into a file in #lang racket, say, you won't be protected against > untrusted-foo. > > Robby > > >> and assuming that `untrusted-foo` hasn't been loaded earlier, then >> `untrusted-foo` will not be able to use protected binding. >> >> That sequence will also disable the use of protected bindings by >> anything that `untrusted-foo` depends on and that hasn't already been >> loaded. So, if you want those dependencies to be able to use untrusted >> things, you need to load the before `(current-code-inspector >> (make-inspector))`. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/20211022114302.3e4%40sirmail.smtps.cs.utah.edu >> . >> > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/004de0e0-b25f-4bae-be79-9bdd561a1e18n%40googlegroups.com.
