Problems with strict-mode caller poisoning

Allen Wirfs-Brock allen at wirfs-brock.com
Tue Nov 20 08:26:17 PST 2012


On Nov 20, 2012, at 4:01 AM, Andreas Rossberg wrote:

> On 16 November 2012 22:19, Jeff Walden <jwalden+es at mit.edu> wrote:
>> On 11/16/2012 07:06 AM, Brendan Eich wrote:
>>> So it seems to me premature to throw on [[GetOwnProperty]] of a strict function's 'caller'. It would be more precise, and avoid the problem you're hitting, to return a property descriptor with a censored .value, or a poisoned-pill throwing-accessor .value.
> 
> That may be plausible, but requires making the 'value' property an
> accessor, and hence breaks with the idea that descriptors are just
> "records". But maybe that is OK for this hack? We should at least be
> careful to define it such that the meaning and behaviour of the
> descriptor does _not_ vary in time, which would be weird at best.
> I.e., its return value and/or poisoning has to be determined once when
> [[GetOwnProperty]] is executed.


Yes, property descriptor records can't act like accessors.  They are just specification internal records that indicate that a set of values is being passed around.  But we can censor the value that goes into the record.  To me this seems like a sufficient solution for dealing with the security issue.  It deviates from what was specified in ES5.1 but that is buggy and I don't think a change from throwing to returning null for the caller would create much havoc 



> 
>> "premature to throw on [[GetOwnProperty]]("caller") on a function whose caller is strict", I assume you meant.  That seems right to me.  Since caller is a time-variant characteristic, it seems right for the property to be an accessor, probably existing solely on Function.prototype, and to defer all the strictness checks to when the function provided as |this| is actually invoked.
> 
> I'm not sure I follow, are you talking about the 'caller' property
> itself now or the 'value' property of its descriptor?
> 
> The problem with 'caller' itself is that the spec does not (and
> doesn't want to) spec it for non-strict functions, so it cannot
> prescribe it to be an accessor. All would be fine, I suppose, if it
> was.
> 
> If you are talking about the descriptor's 'value' property then I
> strongly oppose making that vary in time. A time varying descriptor
> would be weird at best. Fortunately, it's not necessary either.
> 
> 
>> Such a property is no different from anything already in the language, so I can't see how it would at all interfere with Object.observe semantics or implementation.
> 
> See above, non-strict 'caller' is special in that the spec does not
> try define it but yet guard against it with special, er, measures.
> 
> /Andreas

+1 allen



> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
> 



More information about the es-discuss mailing list