Are keywords in Lisp reader input dangerous?

Question

On page 102 of Doug Hoyte's Let Over Lambda, the author says this about his safe-read-from-string function:

That means that vectors, bit-vectors, gensyms, circular references, #., and all the rest are out. Safe-read-from-string will not even allow keywords or foreign package symbols.

I'm straining my brain trying to think of a nefarious use for keyword symbols. Were they excluded for convenience or can something evil be done with them?

Answer 1

You create safe readers, like that example, because you want to guard your software from inappropriate input. The universe of inappropriate is very large, for example you attacker could feed a lot of random symbol names to you in the hope of exhausting memory.

So safe readers are paranoid. A good practice, if you need a safe reader, is to start with a reader with no capabilities and then start adding in the things you must have. But that's tedious. So another approach is to discard big swaths for functionality and then add them back only if and when you need them. That example is illustrating the second case. He lost keywords because he wanted to eliminate any access to packages. Keywords were just collateral damage.

That example is nice because it's so concise and comprehensible.

Answer 2

You are referring to the part about reader macros and the example for sanitizing user input.

If you let the user input a symbol from an undefined package, like UNDEF::SOMETHING, it will raise an error and if you don't have a handler your web application would have been out of business.

safe-read-from-string is the authors example for a solution just by banning the chars #\#, #\:, and #\|. By blacklisting #\: it would not allow package symbols, but as a side effect it will ban keywords too.

Later on in the chapter he states:

Even if you remove the : character, our above package shell code will be thwarted because we catch all errors during reading, including errors indicating nonexistent packages.

So by making the user defined reader catch errors you can allow keywords again.

It's important to sanitize data when using the reader and be careful how you use user data. One cannot be too careful when you are writing something like a web server so perhaps reading strings would be safer?