Closed Bug 1138055 Opened 10 years ago Closed 9 years ago

Review Shumway's name resolution to ensure content can't access arbitrary properties on arbitrary objects

Categories

(Firefox Graveyard :: Shumway, defect)

Product:
Firefox Graveyard
Component:
Shumway
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: till, Unassigned)

References

Details

All names in AS3 are namespaced. Shumway implements this using a name-mangling scheme. In the interpreter, all name lookups happen through a direct implementation of the name resolution algorithm that Tamarin uses, too. In the JIT compiler, statically-known names are sometimes resolved during compilation and the lookup is done with the mangled name as a normal JS name lookup.

Since the runtime itself and all our builtins run in the same compartment, any escape from this name mangling, i.e. any way that content can access non-mangled names, would mean that we've probably lost all sandbox protection inside the compartment. That in itself isn't truly fatal as the content would still need to circumvent our other two layers of sandboxing to gain chrome privileges. It would, however, mean that our SecurityDomain implementation could be circumvented, so content from a SWF from one domain could freely access the innards of a SWF from another domain loaded into the same player instance.

mbx is currently reworking much of this, so it wouldn't make sense to review the current state, but that should change soon-ish.
Blocks: shumway-later
No longer blocks: shumway-m4
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.