Loading ...
Sorry, an error occurred while loading the content.

Re: [Caja] Re: More undocumented silliness in Firefox/SpiderMonkey

Expand Messages
  • Mike Samuel
    We should add tests though to make sure we stay invulnerable to that. 2009/7/29 Mike Stay ... We should add tests though to make sure we
    Message 1 of 1 , Jul 29 9:22 PM
    • 0 Attachment
      We should add tests though to make sure we stay invulnerable to that.

      2009/7/29 Mike Stay <metaweta@...>

      No; arguments is rewritten in cajita to a___ and in valija to
      Array.slice(arguments,1).

      On Wed, Jul 29, 2009 at 5:46 PM, David-Sarah
      Hopwood<david-sarah@...> wrote:
      >
      > <http://webreflection.blogspot.com/2009/06/javascript-arguments-weridness.html>
      > [sic] notes the following strange mifeaturosity of SpiderMonkey, still
      > present in Firefox 3.5.1:
      >
      >  function args() {
      >    alert(arguments[-3] === arguments.callee);
      >    alert(arguments[-2] === arguments.length);
      >  };
      >
      > The potential security weakness here is that if a function delegates
      > 'arguments' to a callee, it will inadvertently grant access to itself
      > via arguments[-3].
      >
      > Jacaranda narrowly dodged being vulnerable to this weakness because
      > 'arguments' is not a first-class expression, and can only be delegated
      > by saying 'ConstArray(arguments)', which filters out all but
      > nonnegative-indexed properties. Is the current implementation of
      > Cajita or of any of the other subsets vulnerable?
      >
      > --
      > David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com
      >
      >



      --
      Mike Stay - metaweta@...
      http://math.ucr.edu/~mike
      http://reperiendi.wordpress.com

    Your message has been successfully submitted and would be delivered to recipients shortly.