Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] Testing whether something is a function

Expand Messages
  • Bill Frantz
    { Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re: removed from Subject tag for esethitic reasons.} ... One thing people building Javascript
    Message 1 of 4 , Dec 2, 2007
    • 0 Attachment
      {"Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:" removed
      from Subject tag for esethitic reasons.}

      erights@... (Mark S. Miller) on Sunday, December 2, 2007 wrote:

      >On 12/2/07, Mark Miller <erights@...> wrote:
      >> Successful attack on ADsafe due to a Firefox bug that is fixed in the
      >> development trunk, but apparently not expected to appear in a Firefox
      >> 2.0.0.x <https://bugzilla.mozilla.org/show_bug.cgi?id=406337>.
      >
      >Just to be clear: The bug is apparently not expected to be fixed for
      >any FF 2.0.0.x.

      One thing people building Javascript sanitizers (e.g. ADsafe and Caja)
      need to consider is how important it is to protect against attacks on
      browsers which have been fixed in the latest versions. With the
      automatic update facilities available in Fedora, MacOS, and Windows,
      fixes get out a lot faster, and to a broader part of the installed base.
      However, last I heard, Microsoft specifically does not support illegal
      copies of Windows. (They were being pressured to provide security fixes
      for the safety of the general community.) Since there are a lot of
      illegal copies of Windows, these systems remain vulnerable.

      Cheers - Bill

      -----------------------------------------------------------------------
      Bill Frantz | gets() remains as a monument | Periwinkle
      (408)356-8506 | to C's continuing support of | 16345 Englewood Ave
      www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
    • Douglas Crockford
      ADsafe does not allow call , so foo.call(null) does not pass, but it does allow foo() I think they are calling foo as with new, so it returns this
      Message 2 of 4 , Dec 3, 2007
      • 0 Attachment
        ADsafe does not allow 'call', so

        foo.call(null)

        does not pass, but it does allow

        foo()

        I think they are calling foo as with new, so it returns this (compounding the
        specification error that binds this to the global object) instead of undefined.
        This is horrible.


        Mark Miller wrote:
        > Successful attack on ADsafe due to a Firefox bug that is fixed in the
        > development trunk, but apparently not expected to appear in a Firefox
        > 2.0.0.x <https://bugzilla.mozilla.org/show_bug.cgi?id=406337>.
        >
        >
        > MarkM wrote:
        >> In the squarefree shell on Firefox 2.0.0.10 on Mac OS X:
        >>
        >> function foo() { print(this); }
        >>
        >> foo()
        >> [object Window]
        >>
        >> foo.call({})
        >> [object Object]
        >>
        >> foo.call(null)
        >> [object Window]
        >>
        >> foo.call({valueOf: function(){return null;}})
        >> [object Window]
        >>
        >> The last case shows the problem. By contrast, Safari 3.0.4 seems to
        >> handle this case correctly:
        >>
        >> function foo() { print(this); }
        >>
        >> foo()
        >> [object DOMWindow]
        >>
        >> foo.call({})
        >> [object Object]
        >>
        >> foo.call(null)
        >> [object DOMWindow]
        >>
        >> foo.call({valueOf: function(){return null;}})
        >> [object Object]
        >>
        >> This particular bug of Firefox's is surprisingly troublesome from a
        >> Caja security perspective, so it would be great to see it fixed in
        >> 1.8. Thanks!
        >
        >
        > ---------- Forwarded message ----------
        > From: John Resig <jeresig@...>
        > Date: Dec 1, 2007 10:50 AM
        > Subject: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:
        > Testing whether something is a function
        > To: jquery-dev@...
        > Cc: google-caja-discuss@...
        >
        >
        > I agree that this is rather serious.
        >
        > I just created a new bug focusing on this:
        > https://bugzilla.mozilla.org/show_bug.cgi?id=406337
        >
        > I've also used this bug to create an attack vector for ADSafe:
        > http://ejohn.org/apps/adsafe/valueOf.html
        >
        > Let's hope this follows through!
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.