Open Bug 605054 Opened 14 years ago Updated 2 years ago

Storage mechanisms allows functions to be overwritten

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
3.6 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: sam, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10

Scripts are currently allowed to overwrite Storage's setItem() and getItem() functions with any value, including null. This state is then persisted for as long as the specific storage mechanism would normally live (ie., across tabs for localStorage).

Reproducible: Always

Steps to Reproduce:
localStorage.setName = 'bar';
localStorage.setName('a', 'b');  //error - not a function
localStorage.getName('a');
localStorage.getName('setName'); //returns 'bar'
localStorage.getName = null;
Actual Results:  
Overwritten functions are persisted.

Expected Results:  
Storage should not store its own functions as data: the data being stored should be scoped differently in a private internal structure to prevent outside influence, allowing Storage to be extended properly without overwriting data. Also, the data itself should be private if getItem() and setItem() are to be provided, otherwise they can be easily circumvented.

I found this bug while attempting to extend localStorage's functionality by duck punching setItem(). For what it's worth, this was also found in Chromium.
Version: unspecified → 3.6 Branch
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.