Critical security fix to ':parse-as float' in view fields.

slburson · Aug 13, 2012 · 468218d · 468218d
1 parent 69ed8e1
commit 468218d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/views/types/parsers/common.lisp b/src/views/types/parsers/common.lisp
@@ -105,7 +105,8 @@
   (ignore-errors
     (let* ((presentp (text-input-present-p value))
 	   (float-value (when presentp
-                          (float (read-from-string value))))
+                          (let ((*read-eval* nil))
+			    (float (read-from-string value)))))
            (round-factor (awhen (float-parser-round parser)
                            (expt 10 (if (eq it t) 0 it)))))
       (unless (floatp float-value)