Should the #. reader macro be enabled by default?

[Matthias Koeppe]

In this article, I propose to disable the #. reader macro by default
for security reasons.  

The #. reader macro evaluates arbitrary code at read time.  This
allows data files read with READ to execute arbitrary code using
all bindings from the INTERACTION-ENVIRONMENT, which is dangerous. 

The #. reader macro has been lifted from Common Lisp.  The latter has
a special variable *READ-EVAL* that controls whether #. is allowed; it
defaults to true.  Wherever potentially malicious data is read, Common
Lisp programs do (let ((*read-eval* nil)) (read...)).

For Guile, I suggest creating a fluid READ-EVAL? with the same
meaning, but which defaults to #f.  The user should enable the
#. reader macro if it is needed in the respective application.  I
believe that #. is only very seldom necessary in the presence of the
cleaner and safer alternative #, (sharp-comma) which is provided by
SRFI-10 (available in current CVS Guile).

A patch is included below.

Index: boot-9.scm
===================================================================
RCS file: /cvs/guile/guile-core/ice-9/boot-9.scm,v
retrieving revision 1.254
diff -u -u -r1.254 boot-9.scm
--- boot-9.scm  2001/05/25 13:18:52     1.254
+++ boot-9.scm  2001/06/05 11:53:18
@@ -750,8 +750,13 @@
 
 (read-hash-extend #\' (lambda (c port)
                        (read port)))
+
+(define read-eval? (make-fluid))
+(fluid-set! read-eval? #f)
 (read-hash-extend #\. (lambda (c port)
-                       (eval (read port) (interaction-environment))))
+                       (if (fluid-ref read-eval?)
+                           (eval (read port) (interaction-environment))
+                           (error 'reader-error))))
 

 ;;; {Command Line Options}


-- 
Matthias Köppe -- http://www.math.uni-magdeburg.de/~mkoeppe