On Fri, Nov 4, 2011 at 10:33 AM, Axel Rauschmayer <a...@rauschma.de> wrote:
>
> How about:
>
> function Bob(t) {
> var stolenArray;
> var hackedPush = function() {
> stolenArray = this;
> };
> t.store("push", hackedPush);
> t.add(0);
> console.log(stolenArray);
> }
> Bob(makeTable());
>
Yes, that is precisely the attack I had in mind. Congrats!
As Dave Herman discovered, it works on v8 but not on SpiderMonkey due to a
known bug in v8 that I had forgotten was a bug. According to the ES5.1
spec, you can't override a non-writable data property with a simple
assignment. I had always considered this an unfortunate annoyance and
irrelevant to security, but in this case it did happen to accidentally
prevent an attack.
--
Cheers,
--MarkM
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
