Closed Bug 1286629 Opened 4 years ago Closed 3 years ago

Object.freeze does not prevent sloppy arguments object from mapping

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: bakkot, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce:

In the console or js shell, run:

(function(a) {
  Object.freeze(arguments);
  a = 1;
  return arguments[0] === 0;
})(0);



Actual results:

Should return true.

In particular, Object.freeze operates via SetIntegrityLevel (https://tc39.github.io/ecma262/#sec-setintegritylevel) which iterates over all properties and, for those which are not accessors, sets them to non-configurable *and non-writable* via DefineOwnProperty. DefineOwnProperty, for mapped arguments objects, says (in 9.4.4.2.8.b.ii; see https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc) that a non-writable descriptor should break the mapping between the arguments object and formal parameters. Instead, it is marked as non-writable and non-configurable, but the mapping remains.

This is a security issue: if you have a non-accessor property which is not configurable or writable, its value should not change.


Expected results:

Returns false.
See Also: → 594495
Blocks: es6
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → evilpies
Attachment #8814858 - Flags: review?(arai.unmht)
The actual problem here was fixed in bug 1175823.
Depends on: 1175823
Comment on attachment 8814858 [details] [diff] [review]
Simple mapped arguments freeze test

Review of attachment 8814858 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you for the explanation :D
Attachment #8814858 - Flags: review?(arai.unmht) → review+
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ecd2e5b74e52
Test that Object.freeze prevents sloppy arguments object from mapping. r=arai
https://hg.mozilla.org/mozilla-central/rev/ecd2e5b74e52
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.