Le 13/08/2013 00:52, Jim Blandy a écrit :
On 08/12/2013 03:41 PM, Jim Blandy wrote:
We might be able to do it with a Debugger source-rewriting hook, like
the one Marc Feeley implemented. (That's all but ready to land; I
need to take care of that before it bit-rots.)
What I can't see how to do this way, though, is retaining taint on
property names. If I say:
let n = <some string>;
let nt = <same string as n, but tainted>;
let o = {}; o[n] = 42;
let ot = {}; ot[nt] = 42;
let m = Object.getOwnPropertyNames(o)[0];
let mt = Object.getOwnPropertyNames(ot)[0];
let x = o[nt];
let xt = ot[n];
then m === mt should be true, and x and xt should both be 42, but mt
should be tainted and m not.
It seems like we'd need to re-implement objects to make this work.
Which can be done, but...
Is there a better way?
I don't know for better, but I have a different way: make all objects
proxies and for each of these proxy, store the property names as they
come as trap arguments in an array. Returns this array for
Object.getOwnPropertyNames/keys/for-in, etc.
Crazy expensive, I know, which is why I held on saying "better" :-)
David
_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
