Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re: Testing whether something is a function

Expand Messages
  • Douglas Crockford
    ADsafe does not allow call , so foo.call(null) does not pass, but it does allow foo() I think they are calling foo as with new, so it returns this
    Message 1 of 4 , Dec 3, 2007
    View Source
    • 0 Attachment
      ADsafe does not allow 'call', so

      foo.call(null)

      does not pass, but it does allow

      foo()

      I think they are calling foo as with new, so it returns this (compounding the
      specification error that binds this to the global object) instead of undefined.
      This is horrible.


      Mark Miller wrote:
      > Successful attack on ADsafe due to a Firefox bug that is fixed in the
      > development trunk, but apparently not expected to appear in a Firefox
      > 2.0.0.x <https://bugzilla.mozilla.org/show_bug.cgi?id=406337>.
      >
      >
      > MarkM wrote:
      >> In the squarefree shell on Firefox 2.0.0.10 on Mac OS X:
      >>
      >> function foo() { print(this); }
      >>
      >> foo()
      >> [object Window]
      >>
      >> foo.call({})
      >> [object Object]
      >>
      >> foo.call(null)
      >> [object Window]
      >>
      >> foo.call({valueOf: function(){return null;}})
      >> [object Window]
      >>
      >> The last case shows the problem. By contrast, Safari 3.0.4 seems to
      >> handle this case correctly:
      >>
      >> function foo() { print(this); }
      >>
      >> foo()
      >> [object DOMWindow]
      >>
      >> foo.call({})
      >> [object Object]
      >>
      >> foo.call(null)
      >> [object DOMWindow]
      >>
      >> foo.call({valueOf: function(){return null;}})
      >> [object Object]
      >>
      >> This particular bug of Firefox's is surprisingly troublesome from a
      >> Caja security perspective, so it would be great to see it fixed in
      >> 1.8. Thanks!
      >
      >
      > ---------- Forwarded message ----------
      > From: John Resig <jeresig@...>
      > Date: Dec 1, 2007 10:50 AM
      > Subject: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:
      > Testing whether something is a function
      > To: jquery-dev@...
      > Cc: google-caja-discuss@...
      >
      >
      > I agree that this is rather serious.
      >
      > I just created a new bug focusing on this:
      > https://bugzilla.mozilla.org/show_bug.cgi?id=406337
      >
      > I've also used this bug to create an attack vector for ADSafe:
      > http://ejohn.org/apps/adsafe/valueOf.html
      >
      > Let's hope this follows through!
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.