Loading ...
Sorry, an error occurred while loading the content.

Re: [Caja] eval() in FF3 - just in case...

Expand Messages
  • Mark S. Miller
    On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich ... Wow. No, we had no idea. I admit that I am shocked that the one tight encapsulation mechanism in
    Message 1 of 3 , Jun 27, 2008
    View Source
    • 0 Attachment
      On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
      <Mario.Heiderich@...> wrote:
      >
      > http://peter.michaux.ca/article/8069
      >
      > Just in case this is not known/intercepted yet.

      Wow. No, we had no idea. I admit that I am shocked that the one tight
      encapsulation mechanism in JavaScript itself -- lexical closures --
      has now been ruined. Fortunately, all safe JavaScript subsets (Caja,
      Cajita, ADsafe, FBJS, Jacaranda) already prevent access to the eval
      function, as they must. So we should all be safe from this particular
      new hole. However, so long as browser vendors feel free to quietly
      introduce holes this large in existing functions...


      --
      Cheers,
      --MarkM
    • brendaneich
      ... I reply-all ed since Mark cc ed me, but I was not a member of the caplet@yahoogroups.com list so the message bounced off that address. Here s the
      Message 2 of 3 , Jun 27, 2008
      View Source
      • 0 Attachment
        --- In caplet@yahoogroups.com, "Mark S. Miller" <erights@...> wrote:
        >
        > On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
        > <Mario.Heiderich@...> wrote:
        > >
        > > http://peter.michaux.ca/article/8069
        > >
        > > Just in case this is not known/intercepted yet.
        >
        > Wow. No, we had no idea.

        I reply-all'ed since Mark cc'ed me, but I was not a member of the
        caplet@yahoogroups.com list so the message bounced off that address.
        Here's the caja-discuss link:

        http://groups.google.com/group/google-caja-discuss/msg/ead8d8597a22c013

        /be
      • Mark S. Miller
        ... Hi Brendan, I was completely unaware of this history and did indeed think that this was a newly opened hole. I m very pleased to find that it isn t. I m
        Message 3 of 3 , Jun 27, 2008
        View Source
        • 0 Attachment
          On Fri, Jun 27, 2008 at 12:39 PM, Brendan Eich <brendan@...> wrote:
          > There's no "now" -- this old eval extension was added over ten years ago:
          >
          > http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsobj.c&rev=3.2&mark=580-590

          Hi Brendan, I was completely unaware of this history and did indeed
          think that this was a newly opened hole. I'm very pleased to find that
          it isn't. I'm especially pleased to hear that you folks plan to remove
          this in a future release. Thanks for the clarification!


          --
          Cheers,
          --MarkM
        Your message has been successfully submitted and would be delivered to recipients shortly.