30 Nov 2023 |
@zardo3z:laborde.live | because ideally for networked software (specifically nyxt) should be running in some sort of sandbox/untrusted environment | 17:27:52 |
Gnuxie 💜🐝 | most CL implementations are networked, unsandboxed, with the whole CL environment available when you install something random from quicklisp | 17:28:49 |
Gnuxie 💜🐝 | i don't understand where you're saying the vulnerability comes from though | 17:29:36 |
Gnuxie 💜🐝 | do you mean that they have a read eval vulnerability just from viewing a html page or something? | 17:29:51 |
Gnuxie 💜🐝 | because then yeah that is way worse | 17:30:07 |
@zardo3z:laborde.live | in fairness i heard this second hand (who was being intentionally vague for obvious reasons) but it could equally be the history since thats also a dumped sexpr | 17:30:34 |
@zardo3z:laborde.live | "crafted history vulns" sounds atrocious | 17:30:49 |
@zardo3z:laborde.live | whereas user-config is not as bad of a vulnerability since its the user's responsibility to manage that | 17:31:44 |
@zardo3z:laborde.live | whereas history is not something you are supposed to poke at | 17:32:05 |
Gnuxie 💜🐝 | ahh right | 17:32:34 |
@zardo3z:laborde.live | * whereas the problem being user-config is not as bad of a vulnerability since its the user's responsibility to manage that | 17:32:56 |
@zardo3z:laborde.live | you could probably grep for read in the checkout (but i cannot actually get it to compile because of their asdf extensions) | 17:37:19 |
Gnuxie 💜🐝 | i think you can also get sniped via read-delimited-lisp and all of the exported read functions | 17:39:13 |
Gnuxie 💜🐝 | this is especially funny because people abuse that in JSON parsers and stuff | 17:39:31 |
Gnuxie 💜🐝 | * this is especially unfunny because people abuse that in JSON parsers and stuff | 17:39:48 |
@zardo3z:laborde.live | oh christ | 17:40:11 |
@zardo3z:laborde.live | i rember early browsers got fucked because json used to use eval to read in JS values | 17:40:46 |
@zardo3z:laborde.live | In reply to @gnu_ponut:matrix.org i think you can also get sniped via read-delimited-lisp and all of the exported read functions does *read-time* dynamic variable also affect those | 17:54:01 |
@zardo3z:laborde.live | because if it didn't that would be a major footgun | 17:54:22 |
Gnuxie 💜🐝 | What variable is that | 21:42:54 |
@zardo3z:laborde.live | In reply to @gnu_ponut:matrix.org i think you can also get sniped via read-delimited-lisp and all of the exported read functions * does *read-eval* dynamic variable also affect those | 21:44:12 |
@zardo3z:laborde.live | typo because i did read-time-eval and went to remove time | 21:44:29 |
Gnuxie 💜🐝 | Ahh | 22:00:45 |
Gnuxie 💜🐝 | In reply to @zardo3z:laborde.live does *read-eval* dynamic variable also affect those Should do | 22:01:19 |
5 Dec 2023 |
| @appservice:libera.chat left the room. | 00:46:08 |
| @sellers:libera.chat left the room. | 00:46:08 |
11 Dec 2023 |
| @zardo3z:laborde.live changed their profile picture. | 13:01:40 |
16 Dec 2023 |
| @zardo3z:laborde.live changed their profile picture. | 14:02:32 |
26 Dec 2023 |
| @zardo3z:laborde.live left the room. | 09:14:52 |
28 Feb 2024 |
| stonedpony420 joined the room. | 00:52:39 |