On Thu, Aug 14, 2014 at 1:59 PM, Mike Stay <[email protected]> wrote:
> Guest code can crash the browser. It may be further exploitable with more
> cleverness.
> https://bugs.webkit.org/show_bug.cgi?id=131137
>
For reference,
"When using the Function constructor to create a function with the string
"})({", the invoking process will crash. When using a string such as
"})str({", an error is thrown instead. Changing it to "});str({" will again
cause a crash."
SES already has logic to detect Function() that can be escaped by
brackets (problem id: CANT_SAFELY_VERIFY_SYNTAX) and patch it.
On Safari 7.0.5 (9537.77.4) which I happen to have handy, it does detect
the problem, and repairs it in a way which, empirically, prevents the crash.
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
