__proto__ security

David Bruant bruant.d at gmail.com
Sun Feb 26 08:47:27 PST 2012


Le 26/02/2012 17:10, Mark S. Miller a écrit :
> On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruant.d at gmail.com
> <mailto:bruant.d at gmail.com>> wrote:
>
>
>     Creating cross-context chains with Object.create has not been
>     discussed
>     I think and should be fine...
>
>     ....or not?
>     Given an attacker from context A, a defender from context D (I'll use
>     these letters to refer to the global object of each context). An
>     attacker can create an object like
>     -----
>     var maliciousProto = Object.create(D.Object.prototype);
>     // Add whatever own properties to maliciousProto
>
>     someObjectInD.__proto__ = maliciousProto
>
>
> If D has already deleted F.Object.prototype.__proto__, then your
> attack fails at the above step.
True.
I guess it's the reason why you said that __proto__ being an accessor or
data property does not make that big of a difference from a security
standpoint.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120226/65a2b724/attachment.html>


More information about the es-discuss mailing list