__proto__ security
David Bruant
bruant.d at gmail.com
Sun Feb 26 08:47:27 PST 2012
Le 26/02/2012 17:10, Mark S. Miller a écrit :
> On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <bruant.d at gmail.com
> <mailto:bruant.d at gmail.com>> wrote:
>
>
> Creating cross-context chains with Object.create has not been
> discussed
> I think and should be fine...
>
> ....or not?
> Given an attacker from context A, a defender from context D (I'll use
> these letters to refer to the global object of each context). An
> attacker can create an object like
> -----
> var maliciousProto = Object.create(D.Object.prototype);
> // Add whatever own properties to maliciousProto
>
> someObjectInD.__proto__ = maliciousProto
>
>
> If D has already deleted F.Object.prototype.__proto__, then your
> attack fails at the above step.
True.
I guess it's the reason why you said that __proto__ being an accessor or
data property does not make that big of a difference from a security
standpoint.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120226/65a2b724/attachment.html>
More information about the es-discuss
mailing list