Closed Bug 470041 Opened 11 years ago Closed 8 years ago

Object.prototype.__defineSetter__ allows object constructor to access remote objects

Categories

(Core :: JavaScript Engine, defect)

x86
Windows Vista
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 474501

People

(Reporter: gareth, Unassigned)

Details

(Whiteboard: [sg:want])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

The native Object can use prototype to define setter functions for any new object. This is bad because a remote web site can access the sensitive JSON objects from sites which use the Object constructor.

A sample can be viewed here:-
<script>
Object.prototype.__defineSetter__('a',function(prop){alert(prop);});
[{a:'stolen'}]
</script>

This is similar to the function Array(){} bug which fixed a while ago.

Reproducible: Always

Steps to Reproduce:
1.Run code supplied
2.
3.
Actual Results:  
Reads the contents of Objects yet to be defined.

Expected Results:  
Objects not assigned a name shouldn't be accessible before they are defined.
I don't think this is a bug, or if it is it wasn't explained clearly. Yes, you can have setters on the global Object prototype. That's a normal feature of the JS language.

How does this negatively affect JSON? If you are sourcing external JSON using <script> elements (instead of using an explicit JSON parser), you've already lost...
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Ben, this is another way to do a bug 376957 type attack. I could do:

  Object.prototype.__defineSetter__('email', function () {...});
  ...
  <script
src="https://mail.victimsite.com/address-book.json"></script>

to harvest addresses out of Jesse's example.
Yeah it's sorta the same issue. Isn't really a bug as such but because of how many sites design their JSON implementation they are vulnerable to this.
This is basically what bug 376957 comment 68 was talking about, right?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:want]
(In reply to comment #4)
> This is basically what bug 376957 comment 68 was talking about, right?

Yes.
Is this still an issue? Does this need to remain sec-sensitive?
Fixed long ago.
Group: core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 474501
You need to log in before you can comment on or make changes to this bug.