Closed Bug 1427727 Opened 6 years ago Closed 3 years ago

Make setSlot/setElement more robust

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

firefox59

---

wontfix

People

(Reporter: jandem, Unassigned)

Details

(Keywords: sec-audit)

Jan de Mooij [:jandem]

Reporter

Description

•

6 years ago

We sometimes have TI bugs like bug 1427126 because people use setSlot/setElement instead of setSlotWithType/setElementWithType.

This is a footgun we should fix. I think we should:

* Rename setSlot and setElement to something more scary, like setSlotNoTypeUpdate.

* Make these functions assert TI correctness.

Jan de Mooij [:jandem]

Reporter

Comment 1

•

6 years ago

This might reveal security bugs.

Keywords: sec-audit

Jan de Mooij [:jandem]

Reporter

Updated

•

6 years ago

Flags: needinfo?(jdemooij)

Nicolas B. Pierron [:nbp]

Updated

•

6 years ago

status-firefox59: --- → fix-optional

Priority: -- → P2

Jan de Mooij [:jandem]

Reporter

Comment 2

•

6 years ago

I'm not working on this right now. I still think it's worth doing at some point, but we're not aware of any issues atm.

Flags: needinfo?(jdemooij)

Ted Campbell [:tcampbell]

Comment 3

•

3 years ago

TI was removed and that gun is no longer pointed at any feet.

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

Group: javascript-core-security → core-security-release

status-firefox59: fix-optional → wontfix

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Make setSlot/setElement more robust

Categories

(Core :: JavaScript Engine, enhancement, P2)

Tracking

()

People

(Reporter: jandem, Unassigned)

References

Details

(Keywords: sec-audit)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Comment 2

Comment 3

Updated

Updated