Lecture series on SES and capability-based security by Mark Miller
Mark S. Miller
erights at google.com
Fri Nov 4 18:48:19 PDT 2011
On Fri, Nov 4, 2011 at 10:51 AM, Jorge <jorge at jorgechamorro.com> wrote:
>
> o= makeTable();
> o.add(1);
> o.add(2);
> o.add(3);
> o.add('Yay!');
>
> o.store('__proto__', {push:function () { console.log(this) }});
> o.add();
>
> Gives:
>
> [ 1, 2, 3, 'Yay!' ]
>
Very nice! Your use of __proto__ is very clever, and should work on
SpiderMonkey, or any other conforming browser that also supports de-facto
__proto__.
Note that the mitigating practice I just recommended: always saying
array[+i] rather than array[i], would have prevented this attack as well,
even though I had not thought of it before.
--
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111104/9565f413/attachment.html>
More information about the es-discuss
mailing list