Lecture series on SES and capability-based security by Mark Miller
Mark S. Miller
erights at google.com
Fri Nov 4 18:36:43 PDT 2011
On Fri, Nov 4, 2011 at 10:33 AM, Axel Rauschmayer <axel at rauschma.de> wrote:
>
> How about:
>
> function Bob(t) {
> var stolenArray;
> var hackedPush = function() {
> stolenArray = this;
> };
> t.store("push", hackedPush);
> t.add(0);
> console.log(stolenArray);
> }
> Bob(makeTable());
>
Yes, that is precisely the attack I had in mind. Congrats!
As Dave Herman discovered, it works on v8 but not on SpiderMonkey due to a
known bug in v8 that I had forgotten was a bug. According to the ES5.1
spec, you can't override a non-writable data property with a simple
assignment. I had always considered this an unfortunate annoyance and
irrelevant to security, but in this case it did happen to accidentally
prevent an attack.
--
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111104/396b1419/attachment-0001.html>
More information about the es-discuss
mailing list