Lecture series on SES and capability-based security by Mark Miller

Mark S. Miller erights at google.com
Fri Nov 4 18:48:19 PDT 2011


On Fri, Nov 4, 2011 at 10:51 AM, Jorge <jorge at jorgechamorro.com> wrote:

>
> o= makeTable();
> o.add(1);
> o.add(2);
> o.add(3);
> o.add('Yay!');
>
> o.store('__proto__', {push:function () { console.log(this) }});
> o.add();
>
> Gives:
>
> [ 1, 2, 3, 'Yay!' ]
>

Very nice! Your use of __proto__ is very clever, and should work on
SpiderMonkey, or any other conforming browser that also supports de-facto
__proto__.

Note that the mitigating practice I just recommended: always saying
array[+i] rather than array[i], would have prevented this attack as well,
even though I had not thought of it before.

-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111104/9565f413/attachment.html>


More information about the es-discuss mailing list