Open
Bug 605054
Opened 14 years ago
Updated 2 years ago
Storage mechanisms allows functions to be overwritten
Categories
(Firefox :: General, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: sam, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 Scripts are currently allowed to overwrite Storage's setItem() and getItem() functions with any value, including null. This state is then persisted for as long as the specific storage mechanism would normally live (ie., across tabs for localStorage). Reproducible: Always Steps to Reproduce: localStorage.setName = 'bar'; localStorage.setName('a', 'b'); //error - not a function localStorage.getName('a'); localStorage.getName('setName'); //returns 'bar' localStorage.getName = null; Actual Results: Overwritten functions are persisted. Expected Results: Storage should not store its own functions as data: the data being stored should be scoped differently in a private internal structure to prevent outside influence, allowing Storage to be extended properly without overwriting data. Also, the data itself should be private if getItem() and setItem() are to be provided, otherwise they can be easily circumvented. I found this bug while attempting to extend localStorage's functionality by duck punching setItem(). For what it's worth, this was also found in Chromium.
Updated•13 years ago
|
Version: unspecified → 3.6 Branch
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•