*read-eval* false?

[txrev319]

At https://github.com/mmcgrana/ring/blob/master/ring-core/src/ring/middleware/session/cookie.clj#L92

should there be a

(binding [read-eval false] ) ?

Otherwise, it seems -- suppose some other vulnerability allowed the AES key to leak -- then we suddenly have the situation where the client can do arbitrary code execution by read macros?

[weavejester]

You're right, but this bug has been fixed. You're looking at an old repository. Here's the latest code:

https://github.com/ring-clojure/ring/blob/master/ring-core/src/ring/middleware/session/cookie.clj#L81

[txrev319]

Thanks for the response. I apologize for the false positive. (I'm not sure how I ended up reading a old version of the code).

…

On Wed, Oct 30, 2013 at 6:43 PM, James Reeves ***@***.***>wrote: You're right, but this bug has been fixed. You're looking at an old repository. Here's the latest code: https://github.com/ring-clojure/ring/blob/master/ring-core/src/ring/middleware/session/cookie.clj#L81 — Reply to this email directly or view it on GitHub<#82 (comment)> .