Subject: Re: Using READ as an internet firewall [was Re: What case problem ...]
From: Erik Naggum <erik@naggum.net>
Date: 20 Nov 2000 03:32:25 +0000
Newsgroups: comp.lang.lisp
Message-ID: <3183679945164742@naggum.net>

* Matt Curtin
| The problem with this, of course, is that "filtering out bad stuff"
| violates the principle of Least Privilege, i.e., instead of
| disallowing the things that you don't want, it should allow nothing by
| default and allow only the things that you do want and whose affect on
| the system you've already analyzed.

  But this is actually pretty easy to accomplish.  Just bind *readtable*
  to a copy of the standard readtable and go modify it to your heart's
  content -- you now have full control over everything the reader does.
  I would suggest you make # a constituent character unless you _really_
  need dispatching while reading your data.

| Using more capable (and safer) tools doesn't eliminate our need to
| move with care or to adhere to good security design principles; they
| merely help us avoid stupid implementation mistakes.

  I agree, except I think "merely" is an understatement.

| Footnotes: 
| [1]  Assuming that the implementation itself isn't subject to the
|      problem, of course, which might be quite a lot to assume if you
|      can't see and audit the implementation yourself.

  Not really.  (1) You have to be extraordinarily clever to get a C/C++
  implementation exactly right, because the designs of those languages
  make it hard to implement anything intelligently and safely -- you
  have to think in another language, such as Lisp, to think of all the
  things you have to take care of.  Take a look at the string class in
  C++, just how much _more_ it does than the old char*.  (2) If you use
  features in the language that are used for many other things, too, you
  get community debugging experience for free.  This is very much unlike
  the kinds of things people do in C/C++, where safety and security are
  _not_ the norm, and in many cases, morons with one keyboard too many
  think they may sacrifice some efficiency if they don't write their own
  code, which will never be exposed to community debugging experiences.

  Having a data reader _in_ the language that the whole system depends
  on for its proper operation means you would find bugs so much sooner.

#:Erik
-- 
  ALGORITHM: a procedure for solving a mathematical problem in a finite
  number of steps that frequently involves repetition of an operation.
  ALGOREISM: a procedure for solving an electoral problem in a finite
  number of steps that frequently involves repetition of an operation.