Closed Bug 505205 Opened 16 years ago Closed 15 years ago

Property __proto__ exposes Object.prototype to unwanted change

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: J.Fine, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.04 (jaunty) Firefox/3.0.11 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.04 (jaunty) Firefox/3.0.11 The first script on the page can, I think, prevent access Object.prototype (see below). Except __proto__ leaves a back-door which cannot be shut. Reproducible: Always Steps to Reproduce: >>> delete Object.prototype.constructor true >>> Object = undefined >>> ({}).__proto__.x = 1 1 >>> ({}).x = 1 1 Expected Results: TypeError: {}.__proto__ is undefined Instead of providing __proto__ why not provide a function, say window.extensions.mozilla.proto // proto for short such that proto(obj) === obj.__proto___ I can then use delete window.extensions.mozilla.proto to close this back door.
Summary: Attribute __proto__ exposes Object.prototype to unwanted change → Property __proto__ exposes Object.prototype to unwanted change
Object.getPrototypeOf in ES5 allows the same inspection as __proto__. Object initialisers are specified now (ES3 botched this, ES5 fixed) to use the original value of Object.prototype, even if you've deleted or overwritten Object in the global object (or the scope chain, if different). (Deleting constructor from Object.prototype does nothing in any event, and has never had any effects relevant to this bug.) To shut the back door you nave to sanitize all object initialisers by setting their __proto__ to your copy of Object.prototype that lacks a '__proto__' property, or else do as Caja and other such systems do and whitelist all property accesses (including computed ones that use o[id] or eval) carefully. There may be other ways of getting Object.prototype. In any event, I think this bug is WONTFIX as reported. If we get rid of __proto__ then deleting Object might suffice to make the original value of Object.prototype inaccessible except via prototype-based delegation. But since __proto__ was emulated by all but IE (not sure about IE9), it will die hard. Anyway, removing __proto__ is a separate bug, and this bug is not "Firefox: Security". /be
Assignee: nobody → general
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Component: Security → JavaScript Engine
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: x86_64 → All
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.