Closed Bug 1267041 Opened 6 years ago Closed 6 years ago

Setting Function.prototype.prototype causes weird behaviour

Categories

(Core :: JavaScript Engine, defect, P2)

48 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1263525
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed

People

(Reporter: hsteen, Unassigned)

References

()

Details

(Keywords: regression, sec-audit)

Attachments

(1 file)

Attached file wc2440.htm - TC
Kayak.com depends on among others the Dean Edwards base library. For whatever reason, Dean has this line of code among his utilities:

Function.prototype.prototype = {};

This triggers a regression that causes some weird behaviour in current nightly when other JS on the Kayak site try to use Array.prototype.slice.call(arguments) to get an array from an arguments object. What you get is classified as an Array but actually its __proto__ is Object and it doesn't have normal array methods. See TC.

Moved from https://webcompat.com/issues/2440
Ah, got it. ArraySpeciesCreate calls std_Array when |originalArray| is not array. However in the spec this doesn't call the default array constructor, but ArrayCreate. The default array constructor (22.1.1) however uses GetPrototypeFromConstructor, which would end up using this .prototype property. 
So the summarize: Using std_Array is wrong, we should probably use something like NewDenseArray?
Flags: needinfo?(arai.unmht)
Sorry I forgot: Hallvord, thanks for this awesome test case!
Arai-san mentions this should be turned s-s. (ref bug 1263525)
Group: javascript-core-security
This is basically a dupe of bug 1263525, but might be better keeping this bug to track the issue on the website.
now that we have an actual website that hit the issue, we should fix it quickly.
Flags: needinfo?(arai.unmht)
See Also: → 1263525
Hallvord, the fix from bug 1263525 landed on m-c on 04-26 (https://bugzilla.mozilla.org/show_bug.cgi?id=1263525#c13). Would you be able to validate that the issue with kayak.com is now fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(hsteen)
Tested, works :) Let's call this a dup of https://bugzilla.mozilla.org/show_bug.cgi?id=1263525
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(hsteen)
Resolution: --- → DUPLICATE
Duplicate of bug: 1263525
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.