Status: New
Owner: ----
New issue 981 by [email protected]: Primordial privilege escalation from
bad this-coercion
http://code.google.com/p/v8/issues/detail?id=981
To avoid privilege escalation bugs by global object leakage, ES5 repaired
Ch15 to coerce the this-bindings of its methods by "ToObject". Thus,
primitive values wrap but null and undefined throw an exception instead.
For example, 15.4.4.10 Array.prototype.slice step 1 says:
1. Let O be the result of calling ToObject passing the this value as
the argument.
However, on Minefield 4.0b8pre (2010-12-14)
window[0] = 'a';
window[1] = 'b';
window[2] = 'c';
window.length = 3;
[].slice.call(null, 0); // prints a,b,c
showing that slice still leaks access to the global object.
I am not checking the "Many users could be harmed by this security problem:
it should be kept hidden from the public until it is resolved." box below
because FF4 is not yet released so there's time to fix this before people
can be harmed by this problem.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
