Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

monger.joda-time ns `print-dup` method relies on read-eval #59

Open
ptaoussanis opened this Issue · 6 comments

2 participants

@ptaoussanis

Hi guys,

Issue was reported by a Nippy user, Ref. ptaoussanis/nippy#14 (comment)

Not at all familiar with the Monger code base, so not sure what the best workaround would be.

Cheers! :-)

@michaelklishin

Well, it's a hack that uses undocumented reader features, I'm not sure if we can do that with, say, Nippy.

@ptaoussanis

Hey Michael,

For some context, could you explain roughly why you're overwriting the default Date representation? Would the data-readers not be appropriate for your use case?

For security purposes, I generally recommend that most folks disable *read-eval* unless they absolutely know the implications and that the data they're dealing with is sanitary.

@michaelklishin

It was added in 1.3 days, maybe now there are better options to explore. One way is dropping 1.3 support. I believe
JDK dates can be serialized using 1.4's reader (as tagged literals) and that's sufficient for what monger.joda-time tries to do.

@ptaoussanis

Not sure what your internals look like, but perhaps it'd be possible to do this coercion w/o needing to mod the reader at all? Is this coercion entirely internal, or is the user going to be interacting with the serialized-to-string forms?

@michaelklishin

It is there to enable dates to be serialized.

@ptaoussanis

Got that much :-) Anyway, yeah - there are a number of possibilities ranging from a thread-local coercion to a namespaced or thread-local data-reader if you're prepared to bump to 1.4. Will leave it to you, but I would suggest the current behavior is dangerous.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.