Closed
Bug 394815
Opened 18 years ago
Closed 18 years ago
Still possible to create __proto__ cycles with XOW
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
|
101 bytes,
text/html
|
Details | |
|
1.51 KB,
patch
|
brendan
:
review+
brendan
:
superreview+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
This crashes Firefox due to too much recursion:
<script>
var z = {};
window.__proto__ = z;
z.__proto__ = window;
for (var i in window) { }
</script>
The third line of the script should throw a "cyclic __proto__ value" error.
|
Assignee | |
Comment 1•18 years ago
|
||
Brendan, I don't see any way to fix this without some sort of help from the JS engine. Furthermore, I don't see a way of fixing this that doesn't involve exposing the wrappers (through some sort of hook) to the engine.
|
||
Comment 2•18 years ago
|
||
Let's forbid setting __proto__ to anything but null, at least for XOWs. Good?
/be
|
|
Assignee | |
Comment 3•18 years ago
|
||
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #281027 -
Flags: superreview?(brendan)
Attachment #281027 -
Flags: review?(brendan)
|
|
Assignee | |
Updated•18 years ago
|
Flags: blocking1.9?
|
|
||
Comment 4•18 years ago
|
||
Comment on attachment 281027 [details] [diff] [review]
Proposed fix
Would it be better to do this before the wrappedObj's proto is changed, and fail for non-null newProto values? I.e. make XOWs stricter by not letting the wrapped object have a different (non-null) proto from the one set for the wrapper?
r+sr=me in case this does not make sense.
/be
Attachment #281027 -
Flags: superreview?(brendan)
Attachment #281027 -
Flags: superreview+
Attachment #281027 -
Flags: review?(brendan)
Attachment #281027 -
Flags: review+
|
|
Assignee | |
Comment 5•18 years ago
|
||
I wanted to do that, but I don't know ahead of time if the wrapped object's prototype is Object.prototype, so setting xow.__proto__ could simply be setting a property named __proto__ (if e.g., the proto chain had been severed earlier).
|
|
Assignee | |
Updated•18 years ago
|
Attachment #281027 -
Flags: approval1.9?
|
|
||
Updated•18 years ago
|
Attachment #281027 -
Flags: approval1.9? → approval1.9+
|
||
Updated•18 years ago
|
Flags: blocking1.9? → blocking1.9+
|
|
Assignee | |
Comment 6•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Updated•18 years ago
|
Flags: in-testsuite?
|
|
||
Comment 7•18 years ago
|
||
(In reply to comment #2)
> Let's forbid setting __proto__ to anything but null, at least for XOWs. Good?
>
does __proto__ have legitimate usage?
it is not standard afaict.
|
|
||
Comment 8•18 years ago
|
||
__proto__ is moderately well-supported by the non-IE browsers, I believe; I don't have access to any at the moment to check for certain.
You need to log in
before you can comment on or make changes to this bug.
Description
•