Loading ...
Sorry, an error occurred while loading the content.

False Alarm (was: Testing whether something is a function)

Expand Messages
  • Mark Miller
    ... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an uh oh alert, did a view source, saw the above text, pasted in into
    Message 1 of 2 , Dec 9, 2007
    View Source
    • 0 Attachment
      On Dec 9, 2007 4:54 AM, Douglas Crockford <douglas@...> wrote:
      > --- In caplet@yahoogroups.com, "Mark Miller" <erights@...> wrote:
      > > (function(){
      > > var obj = {};
      > > obj.test = obj.valueOf;
      > > obj.valueOf = function(){ return null; };
      > > obj.test.bind(obj)().alert("uh oh");
      > > // Exploit Caja:
      > > //obj.test.call(obj).alert("uh oh");
      > > })();

      > I don't understand this. What is bind in this example? When I ran it
      > in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'.


      Jeez, my mistake again. I saw
      http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did
      a view source, saw the above text, pasted in into JSLint with ADsafe
      checked, and saw it pass. So I just assumed that Mozilla had added the
      common Function.prototype.bind() extension to their JavaScript, as
      they've added in various other extensions
      <http://developer.mozilla.org/en/docs/Category:JavaScript_version_overviews>
      <http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Object>.
      But when I saw you message, I did a bit of testing and saw that
      Function.prototype.bind() is not among them. (I'm also using Firefox
      2.0.0.11.)

      I now see that <http://ejohn.org/apps/adsafe/valueOf.html> first loads
      the Prototype library by doing <script src="prototype.js"></script>.
      Prototype defines bind() as:

      Object.extend(Function.prototype, {
      ...
      bind: function() {
      if (arguments.length < 2 && arguments[0] === undefined) return this;
      var __method = this, args = $A(arguments), object = args.shift();
      return function() {
      return __method.apply(object, args.concat($A(arguments)));
      }
      },


      It is now clear that this isn't an attack on ADsafe running on Firefox
      2.0.0.11. It's an attack only on ADsafe running on Firefox + Prototype
      (or other libraries which add such a bind() extension, which many do).
      But it still highlights the fragility of the blacklisting strategy. If
      Firefox 2.0.0.12 adds a bind() extension without fixing the valueOf()
      bug, that would open an ADsafe hole.

      In any case, I apologize for the noise I've contributed to this
      discussion. Several times, I should have looked a bit closer before
      hitting "send".

      --
      Text by me above is hereby placed in the public domain

      Cheers,
      --MarkM
    • Adam Barth
      ... This does point out how easy it is for a web site using ADsafe to accidentally give away its security by modifying the prototype of Object (and possibly
      Message 2 of 2 , Dec 9, 2007
      View Source
      • 0 Attachment
        > I now see that <http://ejohn.org/apps/adsafe/valueOf.html> first loads
        > the Prototype library by doing <script src="prototype.js"></script>.
        > Prototype defines bind() as:
        >
        > Object.extend(Function.prototype, {

        This does point out how easy it is for a web site using ADsafe to
        accidentally give away its security by modifying the prototype of
        Object (and possibly other objects). This is probably obvious to
        Doug, but something I hadn't realized until now. It's probably worth
        a note at the bottom of www.adsafe.org. Also, is there a way for the
        ADsafe library (maybe in a "debug mode") to do a sanity check to see
        whether the web developer has screwed this up?

        Adam
      Your message has been successfully submitted and would be delivered to recipients shortly.