Status: New
Owner: ----
New issue 2532 by [email protected]: Create Map object that does not have
__proto__ quirk
http://code.google.com/p/v8/issues/detail?id=2532
Per [StackOverflow question](http://stackoverflow.com/q/14739312/463304).
In Java, I find it straight forward to take a string and use it as a key in
a `LinkedHashMap`. I can even translate it into JSON and back with no
troubles.
I am using Node.JS/JavaScript now, and there is a special case that is not
handled.
var makesSense = '{"__proto__":"foo","toString":"bar"}'
var noSense =
JSON.stringify(JSON.parse('{"__proto__":"foo","toString":"bar"}'))
console.log(noSense) // outputs {"toString":"bar"}
I want a slick way to permit keys to be named `__proto__` and other things
like it.
Why does this matter?
Surely nobody is actually going to type `__proto__` by accident. But what
if they were doing this on purpose. They learn I am using JavaScript, so
what? - No problems except in the following situation:
- Software has a array of strings. It just so happens one of these
strings say `__proto__` because someone was poking around trying to break
my software.
- Software creates a Map using those strings for a key, and fills the Map
with some nice data.
- Software later goes through the array of strings, and collects the
information from the Map. The Map returns something null, and then
*boom*: null pointer exception.
- Software now does not work. This would qualify as something sort of
like denial of service.
I know that that situation is absolutely vary rare, but I don't like it.
I cannot remember all the quirks of the programming language I am using,
so given enough time, I am bound to write this kind of code.
I pride myself on creating code that is not subject to tampering. So, I
am attempting to eliminate these pinholes from my software.
I recommend that you allow creation of a special kind of object.
The code could be something like `var myMap = new Map()` instead of `var
myMap = {}`. Creating a `Map` would mean the `__proto__` key would be
completely bypassed, as if it was not even there. `__proto__`, and similar
quirks (like `toString`) would be treated like any other key.
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
