Standardizing __proto__

Bradley Meck bradley.meck at gmail.com
Fri Mar 18 09:39:09 PDT 2011


I see the use of setting prototypes at runtime, but with proxies I
think it is not needed, and .__proto__ is commonly used in attacks
(webkit based browser have a couple of attacks still viable using this
to get to various things). For example a prototype injection:

function foo() {};var tmp = foo.__proto__;foo.__proto__ =
{call:function(){return "win"}};foo.__proto__.__proto__ = tmp
foo.call(1)
> "win"
foo(1,1)
> undefined //works as intended

If a proposal could be made to prevent this sort of attack I think it
could gain more traction, but first I would remove it from the
original object into something like Object.setPrototype if you were to
do so. Until a safe implementation of this can be determined, I doubt
it will get much in terms of specification.

Cheers,
Bradley

On Fri, Mar 18, 2011 at 11:29 AM, John-David Dalton
<john.david.dalton at gmail.com> wrote:
> @Oliver
>> That said your examples environments that support it is slightly misleading as there's only a few JS engines being used between them: Caraken
>> (Opera person is this correct?), JavaScriptCore, SpiderMonkey and V8.   AIR uses webkit so pulls in JSC, and presumably ActionScript as well,
>> although ActionScript is not really an ES engine so i'm unsure if it counts to this discussion.
>
> The point is __proto__ has a very long history and is supported by
> more browsers/environments than it's not.
>
> @Mike Shaver
> For other possible uses please check out:
> http://msdn.microsoft.com/en-us/scriptjunkie/gg278167
> https://github.com/jdalton/fusebox#readme
> and follow the bug report.
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>


More information about the es-discuss mailing list