Another de-facto insecurity we need to fix in ES5

Allen Wirfs-Brock Allen.Wirfs-Brock at microsoft.com
Mon Jun 15 20:28:33 PDT 2009


On the surface, this seems fairly reasonable., of course IE doesn't have any skin in the mutable __proto__ game.

Would you really associate this with Object.freeze or would you make it a characteristic of the [[Extensible]] internal property  being false? Personally, I'd probably  be inclined to go with the latter.

My one concern also relates to you other message concerning debugging APIs.  Does no modification of [[Prototype]] really mean never.  I certainly can envision debugger APIs or other support for incremental/evolutionary development tools that could make use of a mutable [[Prototype]] (as well as mutability of other immutable states such as a false [[Extensible]] internal property) .  I'm quite happy to agree that these items should not be directly mutable from the internal perspective of an application program but I'm less willing to agree that a "privileged" tooling API (including possibly a mirrors reflection  based API) could never mutate such state.

From: es-discuss-bounces at mozilla.org [mailto:es-discuss-bounces at mozilla.org] On Behalf Of Mark S. Miller
Sent: Monday, June 15, 2009 7:52 PM
To: es-discuss; es5-discuss at mozilla.org
Subject: Another de-facto insecurity we need to fix in ES5

As I just mentioned on the debugging API thread, at the last EcmaScript meeting we agreed

On Mon, Jun 1, 2009 at 5:11 PM, Waldemar Horwat <waldemar at google.com<mailto:waldemar at google.com>> wrote:
Rather than describing the evil things that implementations do with F.caller, we agreed to just impose a blanket prohibition of code peeking into the environment records or identity of strict functions on the stack.  This way a test suite can ensure that F.caller does nnot reveal strict functions without us having to introduce the evil things into the standard.  I'll write up proposed wording.

This is an example of a more general principle. The language we're evolving from isn't ES3, it's ES3 as currently practiced. When browser vendors implement ES5, they won't actually implement ES5 as speced. They will implement ES5 as extended to preserve some of the defacto practices they currently support. When these likely future defacto extensions would lose some of the integrity or security gains we're trying to achieve with ES5, then we should find an adjustment to the ES5 spec that does not break these defacto practices for old code but still allows new code to defend itself from attackers using these defacto extensions.

The ES3 and ES5 specs both specify the implicit [[Prototype]] property as something that is initialized once and then unchanged. All major browsers today but IE alias this to the name "__proto__" (as if that's a named property) and allow it to be mutated. None of the rest of the ES5 semantics has been critically examined in light of the possibility that an implementation may allow this mutation. So long as [[Prototype]] is pervasively mutable, then most interesting behavior of an ES5 object won't be stable as well. I recommend:
Object.freeze(foo) guarantees not only that all of foo's named properties be frozen and that foo is non-extensible, but also that foo's [[Prototype]] will not be changed.

For non-frozen objects, we continue not to specify that [[Prototype]] can be mutated or explain any means for mutating it. But neither can we prohibit such mutations unless FF, Safari, and Opera are willing to give up this feature. The proposal above won't break any old code that depends on mutating __proto__ but will enable new code to protect itself. I would like to propose something stronger, but don't know of anything stronger compatible with this constraint.

--
   Cheers,
   --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es5-discuss/attachments/20090615/8e945fc9/attachment-0001.html>


More information about the es5-discuss mailing list