Closed
Bug 470041
Opened 16 years ago
Closed 12 years ago
Object.prototype.__defineSetter__ allows object constructor to access remote objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 474501
People
(Reporter: gareth, Unassigned)
Details
(Whiteboard: [sg:want])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 The native Object can use prototype to define setter functions for any new object. This is bad because a remote web site can access the sensitive JSON objects from sites which use the Object constructor. A sample can be viewed here:- <script> Object.prototype.__defineSetter__('a',function(prop){alert(prop);}); [{a:'stolen'}] </script> This is similar to the function Array(){} bug which fixed a while ago. Reproducible: Always Steps to Reproduce: 1.Run code supplied 2. 3. Actual Results: Reads the contents of Objects yet to be defined. Expected Results: Objects not assigned a name shouldn't be accessible before they are defined.
Comment 1•16 years ago
|
||
I don't think this is a bug, or if it is it wasn't explained clearly. Yes, you can have setters on the global Object prototype. That's a normal feature of the JS language. How does this negatively affect JSON? If you are sourcing external JSON using <script> elements (instead of using an explicit JSON parser), you've already lost...
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Comment 2•16 years ago
|
||
Ben, this is another way to do a bug 376957 type attack. I could do: Object.prototype.__defineSetter__('email', function () {...}); ... <script src="https://mail.victimsite.com/address-book.json"></script> to harvest addresses out of Jesse's example.
Reporter | ||
Comment 3•16 years ago
|
||
Yeah it's sorta the same issue. Isn't really a bug as such but because of how many sites design their JSON implementation they are vulnerable to this.
Comment 4•16 years ago
|
||
This is basically what bug 376957 comment 68 was talking about, right?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:want]
Comment 5•16 years ago
|
||
(In reply to comment #4) > This is basically what bug 376957 comment 68 was talking about, right? Yes.
Comment 7•12 years ago
|
||
Fixed long ago.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•