Closed
Bug 470041
Opened 16 years ago
Closed 12 years ago
Object.prototype.__defineSetter__ allows object constructor to access remote objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 474501
People
(Reporter: gareth, Unassigned)
Details
(Whiteboard: [sg:want])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
The native Object can use prototype to define setter functions for any new object. This is bad because a remote web site can access the sensitive JSON objects from sites which use the Object constructor.
A sample can be viewed here:-
<script>
Object.prototype.__defineSetter__('a',function(prop){alert(prop);});
[{a:'stolen'}]
</script>
This is similar to the function Array(){} bug which fixed a while ago.
Reproducible: Always
Steps to Reproduce:
1.Run code supplied
2.
3.
Actual Results:
Reads the contents of Objects yet to be defined.
Expected Results:
Objects not assigned a name shouldn't be accessible before they are defined.
|
||
Comment 1•16 years ago
|
||
I don't think this is a bug, or if it is it wasn't explained clearly. Yes, you can have setters on the global Object prototype. That's a normal feature of the JS language. How does this negatively affect JSON? If you are sourcing external JSON using <script> elements (instead of using an explicit JSON parser), you've already lost...
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
|
||
Comment 2•16 years ago
|
||
Ben, this is another way to do a bug 376957 type attack. I could do: Object.prototype.__defineSetter__('email', function () {...}); ... <script src="https://mail.victimsite.com/address-book.json"></script> to harvest addresses out of Jesse's example.
|
Reporter | |
Comment 3•16 years ago
|
||
Yeah it's sorta the same issue. Isn't really a bug as such but because of how many sites design their JSON implementation they are vulnerable to this.
|
||
Comment 4•16 years ago
|
||
This is basically what bug 376957 comment 68 was talking about, right?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:want]
|
|
||
Comment 5•16 years ago
|
||
(In reply to comment #4) > This is basically what bug 376957 comment 68 was talking about, right? Yes.
|
||
Comment 7•12 years ago
|
||
Fixed long ago.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•