__proto__ security

Mark S. Miller erights at google.com
Sun Feb 26 08:10:10 PST 2012


On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruant.d at gmail.com> wrote:

> Le 26/02/2012 01:23, Geoffrey Sneddon a écrit :
> > On 13/02/12 17:55, Allen Wirfs-Brock wrote:
> >> Let's try to get this back to concrete issues that I can incorporate
> >> into a specification.
> >>
> >> The current draft is at
> >>
> http://wiki.ecmascript.org/lib/exe/fetch.php?id=strawman%3Amagic_proto_property&cache=cache&media=harmony:draft_proto_spec_rev2.pdf
> >>
> >> Gavin and Oliver seem to really want to use an accessor for
> >> Object.prototype.__proto__
> >
> > On the whole this is my preference too, as it practically eliminates
> > special-casing for the __proto__ property, which on the whole I'm in
> > favour of.
> >
> > I've basically implemented something close to what is attributed to
> > Dave Herman on the wiki in Carakan now, albeit without the context
> > check, though I agree it's a good idea. I wonder if it's
> > web-compatible to disallow cross-context prototype chains (both
> > through __proto__ and Object.create).
> What is asked to be disallowed is only changing the prototype with
> __proto__ in a cross-context manner.
> Creating cross-context chains with Object.create has not been discussed
> I think and should be fine...
>
> ....or not?
> Given an attacker from context A, a defender from context D (I'll use
> these letters to refer to the global object of each context). An
> attacker can create an object like
> -----
> var maliciousProto = Object.create(D.Object.prototype);
> // Add whatever own properties to maliciousProto
>
> someObjectInD.__proto__ = maliciousProto
>

If D has already deleted F.Object.prototype.__proto__, then your attack
fails at the above step.




> -----
>
> I was enthusiastic by Gavin Object.prototype ownership-based solution,
> but it seems that as long as an attacker has the possibility to create
> cross-context objects, an Object.prototype-based solution actually does
> not prevent anything.
>
>
> > The one thing I would prefer, however, would be that the setter is
> > optional (i.e., it is permissible to have __proto__ have just a getter
> > or have both a getter and a setter, but not just a setter).
> I think that it's unrealistic since the web does use the setter as well.
> If the setter was standardized as optional, all implementations would
> implement it anyway.
>
> David
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120226/f16a8aad/attachment.html>


More information about the es-discuss mailing list