Closed
Bug 505593
Opened 16 years ago
Closed 12 years ago
JIT doesn't compare wrapped objects correctly, can spuriously return false
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: Waldo, Unassigned)
Details
It needs to unwrap objects before doing a direct pointer-comparison.
|
||
Comment 1•16 years ago
|
||
is this a security problem?
|
Reporter | |
Comment 3•16 years ago
|
||
I don't think so, just means you get a wrong answer, but I'll defer to Blake.
|
|
Reporter | |
Comment 4•16 years ago
|
||
Also note in the unlikely event some algorithm is actually trying to be secure by object identity, it's not going to become *insecure* because it decides two windows (for example) are not the same object.
|
||
Comment 5•16 years ago
|
||
I agree with Jeff. Using a wrapper instead of the unwrapped object should never open a security hole (though, "never say never" disagrees with that statement).
|
||
Comment 6•15 years ago
|
||
Waldo + mrbkap == good enough consensus for me. Unhiding.
Group: core-security
|
||
Comment 7•12 years ago
|
||
This should have been fixed by new compartment invariants.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•