On Fri, Nov 4, 2011 at 10:33 AM, Axel Rauschmayer <a...@rauschma.de> wrote:
> > How about: > > function Bob(t) { > var stolenArray; > var hackedPush = function() { > stolenArray = this; > }; > t.store("push", hackedPush); > t.add(0); > console.log(stolenArray); > } > Bob(makeTable()); > Yes, that is precisely the attack I had in mind. Congrats! As Dave Herman discovered, it works on v8 but not on SpiderMonkey due to a known bug in v8 that I had forgotten was a bug. According to the ES5.1 spec, you can't override a non-writable data property with a simple assignment. I had always considered this an unfortunate annoyance and irrelevant to security, but in this case it did happen to accidentally prevent an attack. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss