Loading ...
Sorry, an error occurred while loading the content.

[Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re: Testing whether somethin

Expand Messages
  • Douglas Crockford
    ... I don t understand this. What is bind in this example? When I ran it in FireFox 2.0.0.11, it reported obj.test.bind is not a function .
    Message 1 of 3 , Dec 9, 2007
    • 0 Attachment
      --- In caplet@yahoogroups.com, "Mark Miller" <erights@...> wrote:

      > Never mind. I just ran it through JSLint, tried it, and looked at it
      again:
      >
      >
      > (function(){
      > var obj = {};
      > obj.test = obj.valueOf;
      > obj.valueOf = function(){ return null; };
      > obj.test.bind(obj)().alert("uh oh");
      > // Exploit Caja:
      > //obj.test.call(obj).alert("uh oh");
      > })();
      >
      >
      > Ignoring the commented out lines (which would successfully attack Caja
      > as you say), the ADsafe vulnerability here is due to "bind" not being
      > on ADsafe's blacklist in addition to "call" and "apply". I'd say this
      > also highlights the fragility of the blacklisting strategy, as one
      > never knows what random extensions browser vendors have added to
      > JavaScript. Caja has the opposite vulnerability here because we do
      > whitelist "call".

      I don't understand this. What is bind in this example? When I ran it
      in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'.
    Your message has been successfully submitted and would be delivered to recipients shortly.